On Monday, the Federal Trade Commission (FTC) announced that it had come to terms with Equifax regarding its September 2017 data breach. The credit monitoring company has agreed to pay $700 million to settle various federal and state inquiries. As part of the agreement, affected consumers are entitled to cash payments of up to $20,000.
Before going into effect, a federal judge needs to review and approve the settlement agreement, a process that can take up to six months.
According to Reuters, Equifax’s payout will be the largest data breach settlement in history.
The FTC’s proposed agreement with Equifax will establish a fund of $425 million for affected consumers. Once created, the settlement fund will allow claimants to receive up to 10 years of free credit monitoring service. Alternatively, individuals affected by the Equifax hack can request payouts of up to $20,000.
As laid out on the FTC’s website, claimants seeking cash payouts will need to prove they incurred expenses as a result of having their data exposed. The agency notes that financial losses, credit report freezing and unfreezing, attorneys’ fees, and credit monitoring costs all count as applicable expenses. The organization further specifies that affected consumers are entitled to $25 an hour for each hour they spent dealing with the breach.
However, individuals seeking damages will likely have a hard time making their claims. Consumers must prove hackers collected their personal information in the 2017 data breach. As investigators have never found the stolen data on the dark web, claimants likely won’t be able to establish causality. CNBC reports that U.S. officials believe a foreign intelligence agency compromised Equifax’s digital infrastructure.
Additionally, the settlement provides all U.S. citizens with six credit reports a year for seven years starting in 2020.
If approved, the agreement will provide the FTC and other federal and state regulators with $290.5 million in attorneys’ fees and fines. It also requires Equifax to invest in significant data security upgrades to prevent future data breaches.
How Hackers Accessed Equifax’s Database
Over two years ago, hackers compromised Equifax’s database and acquired personal information of more than 147 million people. However, the rogue operators didn’t have to launch an elaborate operation to penetrate the company’s systems. Instead, they exploited a security vulnerability that the Department of Homeland Security advised the firm to patch.
In March 2017, the Community Emergency Response Team (CERT) announced that it discovered an exploit in Apache Struts’ application framework. Following the discovery, the Homeland Security agency notified several large organizations about the vulnerability. As such, Equifax’s information technologies team learned about the Struts issue. However, the firm didn’t follow CERT’s advisement to deploy a patch.
That same year, then-Equifax CEO Richard Smith told the House Energy and Commerce Committee a lone employee failed in their duty to deploy the patch. Consequently, hackers infiltrated the company’s systems. Unfortunately, they went undetected for two months because the exploit was not addressed. During that time, attackers harvested millions of names, birth dates, driver’s license numbers, payment card data, and Social Security numbers.
In a statement, New York Attorney General Letitia James laid out Equifax’s data security shortcomings in stark terms. “This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” James said.