0 £0.00
This item was added to your basket
Search

Dear visitor,
You are viewing 1 of your 1 free articles


We’ve made wider, important changes to our print and online content to enhance the value of exclusive, insightful, discerning content we create every day. Support valuable editorial content by becoming a member of our Credit Club - register for free or choose a paid plan.

Register now or Login

US regulator hits Equifax with $700m data leak settlement

Equifax has agreed to pay up to $700m (£561m) as part of a settlement with a US regulator over a 2017 data breach.

The Federal Trade Commission (FTC) said the credit reference agency “failed to secure” the massive amount of personal information stored on its network, affecting 147 million people.

 

The breach, it said, exposed millions of names and dates of birth, social security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.

 

In total, the FTC found 145.5 million social security numbers and 209,000 payment card numbers and expiration dates were compromised.

 

The Atlanta-based credit reference agency has agreed to pay at least $575m, and potentially up to $700m, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories.

 

At least $300m will go towards paying for identity theft services and other related expenses run up by the victims. This sum will go up to a maximum of $425m, if required, to cover the consumers’ losses.

 

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.

 

“This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."

 

Equifax already settled with the UK’s Information Commissioner’s Office for $500,000 for failing to protect the data of 15 million British citizens in the same breach.

 

What led to the leak?

 

The FTC said in its report that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its Automated Consumer Interview System (ACIS) database, which handles inquiries from consumers about their personal credit data.

 

However, because of the way that Equifax’s IT systems had evolved, ACIS also provided a means for hackers to access other unrelated records stored by the firm.

 

The FTC found that, even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, it did not follow up to ensure the order was carried out by the responsible employees.

 

As a consequence, several hackers were able to exploit the flaw and steal consumers’ personal details over a period of months.

 

Not only that, but they were able to access an unsecured file that included administrative credentials stored in plain text.

 

As part of the settlement the FTC said that Equifax had also agreed to:

  • Carry out its own annual audit of security risks
  • Submit to an external assessment of its security efforts once every two years
  • Ensure that third-parties given access to personal data stored by the firm also have adequate data protection measures in place

LATEST INDUSTRY NEWS STRAIGHT TO YOUR INBOX

READ NEXT

Turkish army pension fund enters exclusive talks to buy British Steel

Turkish army pension fund enters exclusive talks to buy British Steel

FCA grants extra time for payments industry to bring in Strong Customer Authentication

FCA grants extra time for payments industry to bring in Strong Customer Authentication

Solarplicity becomes 13th energy supplier to cease trading since 2018

Solarplicity becomes 13th energy supplier to cease trading since 2018

Upcoming events

Credit Strategy
LinkedIn page

Did you find our website useful?

Thank you for your input

Thank you for your feedback

creditstrategy.co.uk – an online news and information service for the UK’s commercial and consumer credit industry. creditstrategy.co.uk is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group