Lily Hay Newman
Two years after its historic data breach, the credit bureau Equifax agreed Monday to pay at least $575 million, and up to $700 million, to settle enforcement actions with 50 US states and territories, the Federal Trade Commission, and the Consumer Financial Protection Bureau.
Though the sting of the breach may have faded for some, Pennsylvania attorney general Josh Shapiro confirmed to reporters that consumers have suffered identity theft as a result of that breach. Moreover, Shapiro said that federal investigators have found Social Security numbers taken from Equifax on the dark web.
The settlement is a record-breaking fine in the US for a data mishap; for its 2016 breach, Uber paid $148 million. The state and federal groups that investigated Equifax touted the payout as an important wake-up call for all US corporations—especially since Equifax will also be required to make hundreds of millions of dollars of additional internal cybersecurity improvements on top of the fines. Given the massive scope and scale of the Equifax breach, though, and compared with the $5 billion data mishandling fine the FTC levied against Facebook two weeks ago, the scale of the Equifax settlement struck many observers as insufficient.
“When you have 150 million people who are affected, this settlement is only really giving $2 or $3 per person,” says Marcus Christian, a cybersecurity-focused litigation partner at the firm Mayer Brown, who was previously a prosecutor in the Florida US attorney’s Office. “The totals to Equifax will be higher, given how much they’ve spent already and potential fines from other regulators or Congress, but is this enough to strike fear? I’d say no.”
“Are these fines and requirements just for show?”
Beau Woods, Atlantic Council
Only Indiana and Massachusetts are excluded from Monday’s settlement, because each filed its own additional lawsuit against Equifax. The company could ultimately owe more in those states. But Monday’s payout includes $175 million for the included states, a $100 million CFPB fine, and $300 million to compensate consumers for damages related to the breach, with a requirement to add $125 million more in restitution if needed. Equifax will also provide US consumers with six free credit reports per year, in addition to the one it already offers, for seven years, and will provide additional free credit monitoring to victims of its breach.
The settlement closes a chapter in Equifax’s checkered response to its massive breach. Hackers infiltrated the company’s systems at the end of May 2017, and eventually exfiltrated personal and financial information from more than 147 million US consumers, including Social Security numbers, dates of birth, home addresses, and some driver’s license and credit card numbers. Other massive corporate breaches have exposed more total records, and subsequent breaches like the Marriott hack have come close to the severity of the Equifax incident. But none has matched the significance and impact of the Equifax breach.
The fallout was made even worse by Equifax’s bungling of numerous components of its breach response throughout 2017. Equifax was clearly not prepared to deal with the fallout from such an incident, and did not have a clear internal response plan. The company built an insecure, stand-alone breach information website, attempted to deploy forced arbitration against customers, and even attempted to sell its identity protection services to victims of its own breach.
“If the system is designed to actively encourage commercialization of private information, are these fines and requirements just for show?” says Beau Woods, a cybersafety innovation fellow at the Atlantic Council. “The financial sector has done a good job monitoring fraud risk in the US, since the cost and liability for fraud is on them. Is there a similar shift for identity theft that can happen?”
In first quarter earnings, Equifax announced that it had set aside $690 million in preparation for a regulatory settlement, less than the company’s overall revenue for that quarter. The company reported revenue of $3.41 billion for 2018, and while its stock dropped in 2017 in the immediate aftermath of the breach, it has since rebounded. The stock was up slightly Monday following news of the settlement.
Equifax did not return a request for comment from WIRED about the settlement. Its CEO, Mark Begor, said in a press statement that “this comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident.” The company notes on its dedicated settlement website that “Equifax denies any wrongdoing, and no judgment or finding of wrongdoing has been made.”
The settlement requires Equifax to strengthen its digital security defenses through steps like improved patching procedures, network segmentation, and access controls. But these are steps Equifax has already claimed to be taking in the wake of its breach. And while they are important precautions to add, they are far more valuable to consumers if they are implemented proactively rather than reactively.
“While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies,” Senator Mark Warner, the Democrat of Virginia, said in a statement Monday. Warner points out that under the Data Breach Prevention and Compensation Act, reintroduced in May, Equifax would have been fined $1.5 billion for its breach based on both the number of impacted people and amount of personally identifying information involved.
New state data-breach laws like the California Consumer Protection Act could make future Equifax-scale breaches much more costly to corporations, as would other laws worldwide like the European Union’s General Data Protection Regulation. But in the US, many mechanisms to deter and punish companies for cybersecurity lapses remain weak. For example, though the FTC participated in investigating Equifax and reaching Monday’s settlement, the agency couldn’t itself levy a fine against Equifax, since the incident was Equifax’s first offense, and the FTC is currently only empowered to fine repeat offenders.
Hundreds of millions of dollars in fines and a high-profile settlement will hopefully send a message to other US companies that safeguarding consumer data is not just the right thing to do, but a good investment. But raising the stakes even higher could helped ensure that those industries won’t just listen, but act.
More Great WIRED Stories