Credit check group Equifax hit with $700m penalty in US over data breach

Personal details of 47m consumers hacked after company failed to take basic precautions

The names and dates of birth of a least 147 million Equifax customers were stolen in the hack, as well as 145.5 million social security numbers and 209,000 payment-card numbers and expiration dates. Photograph: Dado Ruvic/Reuters
The names and dates of birth of a least 147 million Equifax customers were stolen in the hack, as well as 145.5 million social security numbers and 209,000 payment-card numbers and expiration dates. Photograph: Dado Ruvic/Reuters

Equifax will pay up to $700 million (€624 million) as part of a settlement with US authorities after a 2017 hack that exposed the personal data of close to 150 million people whose most sensitive financial information is tracked by the consumer credit check company.

The resolution with the Federal Trade Commission (FTC), Consumer Financial Protection Bureau and 50 state attorneys-general draws a line under the hack, the largest-ever breach of consumer data. The company has also settled with claimants in a class-action lawsuit.

"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers," said Joe Simons, FTC chairman, in Monday.

“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he added.

READ SOME MORE

‘Positive step’

Mark Begor, Equifax chief executive, said: "This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident."

The settlement comes two years after the breach in July 2017, when hackers were able to steal data, including social security numbers, after Equifax had failed to patch its systems, the FTC said.

The company had been warned of a security vulnerability in March that year but failed to take action until the hack.

“Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures,” the FTC said on Monday.

The names and dates of birth of a least 147 million Equifax customers were stolen in the hack, as well as 145.5 million social security numbers and 209,000 payment-card numbers and expiration dates.

Equifax was forced to scrap executive bonuses and suspend share buybacks last year, in anticipation of fines and lawsuits resulting from the hack.

Fined

The settlement with US authorities follows action by UK regulators last September. Equifax was fined £500,000 (€557 million) – the maximum penalty allowed by law at the time of the hack – after it was revealed hundreds of thousands of British customers had also been affected.

The UK Information Commissioner’s Office said Equifax had collected British customer data and stored it in the US.

Equifax will pay $300 million into a compensation fund for affected consumers as part of the settlement with the FTC, Consumer Financial Protection Bureau and state AGs, with the potential to add up to $125 million more. It will also pay $175 million to the state AGs and $100 million to the consumer protection agency in civil penalties.

Equifax has significant Irish operations in Dublin and Wexford. The company’s Irish division notified the Data Protection Commission of the issues in 2017, but the Irish regulator stepped back to allow British authorities, which had greater power to levy fines, to investigate it. Only a handful of Irish customers were affected.

Cash payments

In addition to the cash payments, Equifax will also provide all US consumers with six free credit reports every year for seven years. As part of the class-action settlement, affected consumers will receive 10 years of free credit monitoring.

Lawyers for the class-action claimants said the cost to Equifax could be as much as $2 billion if all 147 million members of the class signed up for free credit monitoring. They also said the company had been required to spend at least $1 billion over five years on cyber security.

The company will also be required to deploy an “aggressive” social media campaign, and advertise via radio, print and digital outlets to reach individuals entitled to compensation. – Copyright The Financial Times Limited 2019