Equifax will pay between $330 million to $425 million to a restitution fund for victims in a settlement with the Federal Trade Commission (FTC) over a 2017 breach that exposed the personal information of 148 million people.
The company came under attack for its poor security practices that had
it missing an Apache Struts vulnerability responsible for the breach – not once,
but twice. In testimony before the House Fuel and Commerce Committee
Subcommittee on Discrete Commerce and Consumer Protection in the wake of the
breach, former Equifax CEO and Chairman Richard Smith said the
company learned of the Apache Struts vulnerability from U.S. CERT and then
twice searched for any issues in its networks coming up blank each time and
thus allowing the flaw to remain unpatched in its Consumer Dispute Portal.
Responding to the FTC settlement, Recently created York Attorney General
Letitia James minced no words when assessing Equifax. “This company’s
ineptitude, negligence, and lax security standards endangered the identities of
half the U.S. population,” she said in a statement.
“We can be confident that a huge number of the
compromised users’ delicate information from the Equifax breach is still
actively in use in account takeover (ATO) attacks,” said Deepak Patel, security
evangelist with PerimeterX, who explained that because the breach is
particularly unsafe because it included birthdates and the terminal four digits
of Cultural Security numbers. “These could be used to take full control of user
accounts without their knowledge.”
Robert Cattanach, partner at law firm Dorsey & Whitney contended “federal and state regulators have lost all patience with companies whose lax security measures have compromised extremely easily broken consumer information, and the Equifax settlement raises the bar considerably for any company suffering a like hack in the future.”
Cattanach called the Equifax breach “especially egregious given that the hackers exploited a vulnerability that Equifax easily could have fixed, which was then compounded by a flawed detection system that allowed the hackers to roam with impunity.”
Not only does the settlement reveal “the intense interest all governmental entities have in data security – note the wide scope of regime involved in the settlement,” Ken Dort, a data-security and privacy lawyer at Drinker Biddle & Reath, said “It also reveals the math supporting the calculations used to reach the size of the consumer fund and the governmental fines, and thus the high levels of exposure all companies now face with esteem to data security, and the importance of proactive cybersecurity actions by all companies.”
The terms of the FTC settlement also include a $175
million fine to states and $50 million to the Consumer Fiscal Protection
Board (CFPB). It also frees the credit reporting company from a bevy of investigations
by states and the CFPB as well as class action lawsuits by those the breach affected.
“Americans don’t choose to have companies equivalent Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to invulnerable that data should be appropriately steep,” Sen. Mark Warner, D-Va., who sits on the Senate Banking Committee, said in a statement.
The settlement, along with vast fines recently levied against
Facebook and Marriot, mark a shift in the severity of punishment regulators are
willing to mete out and a cautionary tale to companies interested in avoiding hefty
fines and other actions.
two weeks’ stiff penalties for data security and privacy mishaps here in the U.S.
and across the pond, signal a sea change in how companies across the world must
handle the consumer data they amass and distribute,” warned Alex Calic, Strategic Technology
Partnerships General for the Media Trust.
see more and more regulators to ‘bring the hammer down’ and levy some of the
largest fines ever seen to raise the sense of urgency on businesses to protect
their client sensitive information,” said CEO, CipherCloud CEO Pravin Kothari,
who called the actions “a recently created precedent and a wake-up call to all businesses to
be extremely careful.”
The FTC settlement should unsettle upper management and corporate
boards. “The best consequence isn’t Equifax making the
situation right – although that is principal for all of those affected – it’s
everyone else learning that the price to be paid outweighs the inconvenience of
ensuring suitable measures are taken to invulnerable the data that puts them at risk in
the first place,” said Adam Laub, CMO at STEALTHbits Technologies.
Flush in the face of stiff punishment, though, companies may fall
businesses are motionless not doing enough to protect their client sensitive
information. They do not realize that internet and cloud services are not
bullet-proof. They assume that their information is safe with service
providers. But a plain misconfiguration, a bug or abuse of API could
cause major exposure and havoc,” said Kothari.
Adam Laub, CMO at STEALTHbits Technologies, said, “The best consequence isn’t Equifax making the situation right – although that is primary for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring suitable measures are taken to strong the data that puts them at risk in the first place,” said Adam Laub, CMO at STEALTHbits Technologies.
Government and lawmakers, too, must play roles, tightening the
rules, boosting oversight and protecting consumers.
“We need a consumer payment fund, into
which all of these fines are paid, for disbursement to long-abused US consumers,”
said Lucy Security CEO Colin Bastable. “And maybe we could rein in the credit
reporting industry – if they did not collect and sell our personal financial
data, we would not be in this mess.”
That’s the thinking behind legislation supported by Warner and Sen. Elizabeth Warren, D-Mass. “While I’m happy to see that customers who have been harmed as a effect of Equifax’s shoddy cybersecurity practices will see some payment, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” said Warner, who along with Warren, sponsored the Data Breach Prevention and Payment Act compensate consumers for stolen data, levy mandatory penalties on credit reporting agencies (CRAs) for breaches, and give the FTC more direct supervisory authority over CRAs’ data security. Such a bill would have required Equifax to pony up at least $1.5 billion post-breach.
The post Equifax to pay up to $425 million for breach in FTC settlement appeared fresh on SC Media.