Equifax has agreed to pay up to $700 million to state and federal regulators following the 2017 data breach that exposed the personal information of almost 150 million people.
The Federal Trade Commission (FTC) announced today that the credit reporting agency will pay at least $300 million and up to $425 million to compensate affected victims with credit monitoring services. The money will go into a fund that will also be used to reimburse people who purchased credit or identity monitoring services due to the breach. The settlement amount could change depending on the number of claims still to be filed by consumers.
Equifax will also pay $275 million in civil penalties and other compensation to 48 states, Washington, Puerto Rico, and the Consumer Financial Protection Bureau.
In addition to the monetary relief to its customers, the deal also requires changes to how Equifax handles private user data. The company is required to adjust its information security protocols, including annual assessments of security risks, and receiving the board's certification vowing that the company has complied with the FTC's order. The company is also required to regularly test and monitor the effectiveness of its security safeguards and ensure that any service providers that access personal information stored by Equifax also implement adequate safeguards to protect personal data.
In its complaint, the FTC alleges that Equifax failed to secure the treasure trove of personal data stored on its networking, leading to the largest breach in US history that exposed millions of names, Social Security numbers, birth dates, addresses, and other personal information that would lead to identity theft or fraud.
The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database. While Equifax's security team ordered that each of the company's vulnerable systems be patched within 48 hours, the company failed to follow up with the employees responsible for the upgrade to ensure the order was carried out. Ultimately, the company did not discover that its ACIS database was unpatched until July 2017, after its security team detected suspicious traffic on its network.
The FTC is also encouraging Equifax employees who believe the company is failing to meet these data security promises to email the FTC at [email protected]
NNT recommends hardening systems to maintain the highest level of security and hack-proof critical systems. Hardening systems requires all known security vulnerabilities to be eliminated or mitigated. Vulnerability management and maintaining a hardened build standard are inextricably linked to tight change control. Any configuration changes, through patching or other system maintenance, may introduce vulnerabilities to your environment, so visibility and control of changes is an essential security best practice.