Two years after its historic data breach, the credit bureau Equifax agreed on Monday to pay at least $575 million, and up to $700 million, to settle enforcement actions with 50 US states and territories, the Federal Trade Commission, and the Consumer Financial Protection Bureau. Though the sting of the breach may have faded for some, Pennsylvania attorney general Josh Shapiro confirmed on a call with reporters that consumers have suffered identity theft as a result of the breach. Moreover, Shapiro said that federal investigators have found Social Security numbers taken from Equifax on the dark web.
The settlement is a record-breaking fine in the US for a data breach; for its 2016 breach, Uber paid $148 million. The state and federal groups that investigated Equifax touted the payout as an important wakeup call for all US corporations—especially since Equifax will also be required to make hundreds of millions of dollars of additional internal cybersecurity improvements on top of the fines. Given the massive scope and scale of the Equifax breach, though, and compared to the $5 billion data mishandling fine the FTC levied against Facebook two weeks ago, the scale of the Equifax settlement struck many close observers as insufficient.
“When you have 150 million people who are affected, this settlement is only really giving two or three dollars per person,” says Marcus Christian, a cybersecurity-focused litigation partner at the firm Mayer Brown, who was previously a prosecutor in the Florida US attorney’s Office. “The totals to Equifax will be higher given how much they’ve spent already and potential fines from other regulators or Congress, but is this enough to strike fear? I’d say no.”
Only Indiana and Massachusetts are excluded from Monday’s settlement, because each filed its own additional lawsuit against Equifax. The company could ultimately owe more in those states. But Monday’s payout includes $175 million for the included states, a $100 million CFPB fine, and $300 million to compensate consumers for damages related to the breach, with a requirement to add $125 million more in restitution if needed. Equifax will also provide US consumers with six free credit reports per year, in addition to the one it already offers, for seven years, and will provide additional free credit monitoring to victims of its breach.
The settlement closes a chapter in Equifax’s checkered response to its massive breach. Hackers infiltrated the company’s systems at the end of May 2017, and eventually exfiltrated personal and financial data from more than 147 million US consumers, including Social Security numbers, dates of birth, home addresses, and some driver’s license and credit card numbers. Other massive corporate breaches have exposed more total records, and subsequent breaches like the Marriott hack have come close to the severity of the Equifax incident. But none has matched the significance and impact of the Equifax breach.
The fallout was made even worse by Equifax’s bungling of numerous components of its breach response throughout 2017. Equifax was clearly not prepared to deal with the fallout from such an incident, and did not have a clear internal response plan. The company built an insecure, standalone breach information website, attempted to deploy forced arbitration against customers, and even attempted to sell its identity protection services to victims of its own breach.
“If the system is designed to actively encourage commercialization of private information, are these fines and requirements just for show?” says Beau Woods, a cyber safety innovation fellow at the Atlantic Council. “The financial sector has done a good job monitoring fraud risk in the US since the cost and liability for fraud is on them. Is there a similar shift for identity theft that can happen?”