Remember in 2017? When the Equifax data breach exposed the personal information of more than half of all United States citizens? Investigators have slapped Equifax with a $700 million fine for the 2017 data breach according to a statement.
Hefty Breach, Hefty Fine
The $700 million proposed settlement includes fines from various agencies and states. Equifax has also created a relief fund for victims of identity theft. The breach included approximately 150 million Americans’ social security numbers and credit history.
This settlement brings to a close numerous probes by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau. $525 million of the settlement is to resolve fines from the FTC. The investigations also included nearly every states’ attorneys general.
Equifax has additionally agreed to provide 6 free credit reports per year for 7 years as part of the settlement. Consumer that already have a credit monitoring solution may elect to receive a $125 payout instead. The settlement also includes a fund for consumers that have been victims of identity theft. Consumers may file for up to $20,000 for time and money spent resolving an identity theft.
According to FTC Chairman Joe Simons, “Equifax failed to take basic steps that may have prevented the breach.” Due to the unsatisfactory security practices in place, “This settlement requires that the company take steps to improve its data security.”
Democratic Senator Mark Warner said in a statement: “While Im happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again”.
Part of the settlement stipulates that Equifax bolster its security practices and that a third-party reviews security policies and practices.
Equifax stored their most sensitive information such as social security numbers, and drivers license numbers in plain text for years. This means nearly anyone with access to that system can view the data without any sort of encryption. The lax security practices in place at Equifax did not stop there.
The congressional investigation released earlier this year revealed that Equifax failed to apply over 8,500 security fixes, or patches. Investigators even discovered unpatched vulnerabilities dating as far back as 2015.
Despite being the largest-ever data breach settlement consumer advocates were not pleased with the settlement. “[Equifax] failed to do its job: protect data” says the U.S. Public Interest Research Group.
Investigations by the Justice Department determined Chief Information Officer, Jun Ying, sold shares ahead of the official announcement. Jun Ying is the second Equifax employee to be charged with insider trading.
This data breach was the result of an unpatched, known vulnerability. This simple failure to properly maintain their systems resulted in the loss of 150 million consumer records. How long before we see a catastrophic breach as a result of the 800,000 systems still vulnerable to BlueKeep?