0 £0.00
This item was added to your basket

Dear visitor,
You are viewing 1 of your 1 free articles


We’ve invested in our content to provide more news, analysis, features, interviews and opinions across a wide range of Credit and Financial Services. Register now to access more of the trustworthy, insightful information that’s on offer.

Register now or Login

US regulator hits Equifax with $700m data leak settlement

Equifax has agreed to pay up to $700m (£561m) as part of a settlement with a US regulator over a 2017 data breach.

Share on LinkedInShare on TwittereCard

The Federal Trade Commission (FTC) said the credit reference agency “failed to secure” the massive amount of personal information stored on its network, affecting 147 million people.

 

The breach, it said, exposed millions of names and dates of birth, social security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.

 

In total, the FTC found 145.5 million social security numbers and 209,000 payment card numbers and expiration dates were compromised.

 

The Atlanta-based credit reference agency has agreed to pay at least $575m, and potentially up to $700m, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories.

 

At least $300m will go towards paying for identity theft services and other related expenses run up by the victims. This sum will go up to a maximum of $425m, if required, to cover the consumers’ losses.

 

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.

 

“This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."

 

Equifax already settled with the UK’s Information Commissioner’s Office for $500,000 for failing to protect the data of 15 million British citizens in the same breach.

 

What led to the leak?

 

The FTC said in its report that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its Automated Consumer Interview System (ACIS) database, which handles inquiries from consumers about their personal credit data.

 

However, because of the way that Equifax’s IT systems had evolved, ACIS also provided a means for hackers to access other unrelated records stored by the firm.

 

The FTC found that, even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, it did not follow up to ensure the order was carried out by the responsible employees.

 

As a consequence, several hackers were able to exploit the flaw and steal consumers’ personal details over a period of months.

 

Not only that, but they were able to access an unsecured file that included administrative credentials stored in plain text.

 

As part of the settlement the FTC said that Equifax had also agreed to:

  • Carry out its own annual audit of security risks
  • Submit to an external assessment of its security efforts once every two years
  • Ensure that third-parties given access to personal data stored by the firm also have adequate data protection measures in place
Share on LinkedInShare on TwittereCard
Add New Comment
You must be logged in to comment. Login or Register to access enhanced features of the website.

LATEST INDUSTRY NEWS STRAIGHT TO YOUR INBOX

READ NEXT

Future of consumer credit “still uncertain” despite decisive election

Future of consumer credit “still uncertain” despite decisive election

Election: Government urged to make firms provide financial MOTs

Election: Government urged to make firms provide financial MOTs

Get your company culture right at the Credit Summit

Get your company culture right at the Credit Summit

Upcoming events

Credit Summit

Credit Strategy
LinkedIn page

Member of

Did you find our website useful?

Thank you for your input

Thank you for your feedback

creditstrategy.co.uk – an online news and information service for the UK’s commercial and consumer credit industry. creditstrategy.co.uk is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group