ao link
0 £0.00
This item was added to your basket
Credit Strategy homepage
Intelligence, Insight and community for responsible professionals in credit

US regulator hits Equifax with $700m data leak settlement

Equifax has agreed to pay up to $700m (£561m) as part of a settlement with a US regulator over a 2017 data breach.

The Federal Trade Commission (FTC) said the credit reference agency “failed to secure” the massive amount of personal information stored on its network, affecting 147 million people.


The breach, it said, exposed millions of names and dates of birth, social security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.


In total, the FTC found 145.5 million social security numbers and 209,000 payment card numbers and expiration dates were compromised.


The Atlanta-based credit reference agency has agreed to pay at least $575m, and potentially up to $700m, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories.


At least $300m will go towards paying for identity theft services and other related expenses run up by the victims. This sum will go up to a maximum of $425m, if required, to cover the consumers’ losses.


“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.


“This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."


Equifax already settled with the UK’s Information Commissioner’s Office for $500,000 for failing to protect the data of 15 million British citizens in the same breach.


What led to the leak?


The FTC said in its report that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its Automated Consumer Interview System (ACIS) database, which handles inquiries from consumers about their personal credit data.


However, because of the way that Equifax’s IT systems had evolved, ACIS also provided a means for hackers to access other unrelated records stored by the firm.


The FTC found that, even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, it did not follow up to ensure the order was carried out by the responsible employees.


As a consequence, several hackers were able to exploit the flaw and steal consumers’ personal details over a period of months.


Not only that, but they were able to access an unsecured file that included administrative credentials stored in plain text.


As part of the settlement the FTC said that Equifax had also agreed to:

  • Carry out its own annual audit of security risks
  • Submit to an external assessment of its security efforts once every two years
  • Ensure that third-parties given access to personal data stored by the firm also have adequate data protection measures in place

Please login to continue reading this article.

Not a member?

Become a member

FREE registration. No credit card required

Register now
  • Stay up-to-date with industry news and appointments
  • Hear about events first
  • Read 1 free Premium article per month

Become a premium member

From as little as £3.48 per week

Become Premium
  • All the perks of a standard member plus:
  • Access to the entire Credit Strategy website
  • 12 months subscription to Credit Strategy Magazine
  • 25% discount to all conferences
  • Exclusive access to Premium Member only roundtables
  • 50% off award entry fees


Upcoming events

Credit Summit 2021

Women in Credit Awards 2021

Car Finance Awards 2021

Credit Strategy
LinkedIn page

Member of

Did you find our website useful?

Thank you for your input

Thank you for your feedback – an online news and information service for the UK’s commercial and consumer credit industry. is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace. @ Copyright Shard Media Group