US regulator hits Equifax with $700m data leak settlement

The Federal Trade Commission (FTC) said the credit reference agency “failed to secure” the massive amount of personal information stored on its network, affecting 147 million people.

The breach, it said, exposed millions of names and dates of birth, social security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.

In total, the FTC found 145.5 million social security numbers and 209,000 payment card numbers and expiration dates were compromised.

The Atlanta-based credit reference agency has agreed to pay at least $575m, and potentially up to $700m, as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories.

At least $300m will go towards paying for identity theft services and other related expenses run up by the victims. This sum will go up to a maximum of $425m, if required, to cover the consumers’ losses.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.

“This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."

Equifax already settled with the UK’s Information Commissioner’s Office for $500,000 for failing to protect the data of 15 million British citizens in the same breach.

What led to the leak?

The FTC said in its report that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its Automated Consumer Interview System (ACIS) database, which handles inquiries from consumers about their personal credit data.

However, because of the way that Equifax’s IT systems had evolved, ACIS also provided a means for hackers to access other unrelated records stored by the firm.

The FTC found that, even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, it did not follow up to ensure the order was carried out by the responsible employees.

As a consequence, several hackers were able to exploit the flaw and steal consumers’ personal details over a period of months.

Not only that, but they were able to access an unsecured file that included administrative credentials stored in plain text.

As part of the settlement the FTC said that Equifax had also agreed to:

• Carry out its own annual audit of security risks
• Submit to an external assessment of its security efforts once every two years
• Ensure that third-parties given access to personal data stored by the firm also have adequate data protection measures in place