Credit bureau to pay at least $924m in biggest ever breach settlement


Almost half the settlement — $US300 million — will go toward American consumers who were harmed by the breach, according to settlement documents filed in federal court in Atlanta. The company also agreed to pay $US275 million in fines to end investigations by the Consumer Financial Protection Bureau, the Federal Trade Commission and 48 states, plus the District of Columbia and Puerto Rico.

Equifax agreed to provide up to 10 years of free credit monitoring services to all victims of the breach in the United States, an offer that could greatly increase the cost of the settlement. Equifax is paying one of its competitors, Experian, to provide that service for the first four years, but the settlement assumes only about 7 million people will sign up.

Every additional million consumers who opt in would cost Equifax more than $US16 million, according to the settlement documents. If all 147 million victims of the breach were to take part, the monitoring services would cost Equifax more than $US2 billion.

Equifax has files on hundreds of millions of people worldwide that contain extensive details about their financial accounts and transactions. In 2016 the company acquired ASX-listed Veda Group for $2.5 billion, with Veda subsequently coming under fire from the Australian Privacy Commissioner that same year for selling commercial products to consumers who simply wanted a free copy of their credit report. Monday’s settlement, however, only concerns American customers.

The 2017 breach not only exposed private information but also put a spotlight on the loosely regulated role credit bureaus play in the day-to-day lives of Americans. Equifax makes money by selling its vast trove of information to auto loan, mortgage and credit card issuers. Consumers can exercise some control over how their files are used — for example, by freezing them to prevent new credit lines from being opened — but they cannot choose to have the bureaus stop collecting their information.

Law enforcement officials have never publicly identified who was behind the hack. Although the thieves did not steal Equifax’s crown jewels, its credit files, they used a flaw that was left unfixed to gain access to dozens of databases. According to a government report, the attackers siphoned off information for about 76 days until Equifax discovered the intrusion in late July 2017. The company waited more than a month to disclose the breach.

Loading

As bad as the loss of so much sensitive information was, the company’s bungled response also infuriated consumers. Equifax created an information website that barely functioned. It struggled to keep up with the deluge of phone calls and messages from worried consumers. At one point, it even accidentally pointed those seeking information on the breach toward a fake website.

The turmoil led to the ouster of Equifax’s chief executive, Richard Smith, and the company’s chief information officer and chief security officer. Last year, Equifax named Mark Begor, an outsider who had worked in private equity, as its new chief executive.

Lawyers representing the consumers in the settlement say people who were victims of fraud after the breach will be eligible for settlements even if they cannot prove that the Equifax theft directly caused their loss. The settlement documents say anyone who experienced fraud that was “fairly traceable” to the stolen information will be able to make a claim. But applying that definition will be up to the settlement’s administrator, JND Legal Administration, which will follow a detailed written protocol laid out in the settlement.

It has been difficult to determine how much harm the breach did to consumers because cybersecurity experts have not seen any sign of victims’ stolen names and personal information surfacing in the kinds of online marketplaces on which such stolen information is often trafficked.

“We continue to monitor the dark web and identity theft,” Begor said at a news conference on Monday. “To date, we haven’t seen any instances of the data that was stolen being sold.”

The current settlement figure of about $US650 million is a bit less than one typical quarter of sales for Equifax. Last year, the company earned $US300 million, a 49 per cent drop from its income a year earlier, on sales of $US3.4 billion. Equifax’s stock price tumbled after the breach but has since recovered most of its losses.

Some consumer advocates wish the punishment had been more harsh.

“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, executive director of the World Privacy Forum.

But the sum “is not insignificant,” said Christopher Peterson, a law professor at the University of Utah and a former enforcement lawyer at the Consumer Financial Protection Bureau. Settling the case quickly is probably a better outcome for consumers than years of legal battling, he added.

“My perspective is that this is a win for the various consumer protection agencies that are involved, but that over the long term, it creates only a relatively mild incentive for the big credit reporting agencies to strengthen their data security,” Peterson said. “The underlying law itself here does not provide as much protection as I think most Americans deserve and want.”

New York Times, with staff reporters

Most Viewed in Technology

Loading



Source link Technology

Enter your Email Address

Leave a Reply

Your email address will not be published. Required fields are marked *