In the post-GDPR world, failure to pay attention to issues like data privacy can have very real economic consequences for some of the world’s largest companies. The latest data breach settlement involves Atlanta-based credit reporting agency Equifax, which has been mired in controversy ever since its 2017 data breach, which at the time was one of the most severe in U.S. history. Nearly two years later, the final cost of the security breach is now known: $700 million. That record-setting FTC fine includes an upfront payment of $575 million, with the potential of up to another $125 million in order to make all victims of the 2017 data breach whole.
Details of the $700 million data breach settlement
The $700 million payment to settle with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and state attorneys general is eye-opening for a number of reasons. For one, the size of the FTC fine is larger than what had been originally anticipated. And, secondly, it is clear that the FTC is penalizing Equifax not just for the one-time security breach, which went undetected and unreported for months, but also for subpar security practices that led to the data breach in the first place. This is the post-GDPR world that we live in now: corporations are being held to a much higher standard these days, and simply can’t wag their fingers at cybercriminals, blaming them for all their ills. Instead, they must take responsibility for their actions.
Deepak Patel, security evangelist with PerimeterX, commented on the magnitude and significance of the Equifax breach: “The Equifax breach of September 2017 was one of the largest data breaches with up to 145 million users’ personal data compromised. We can be confident that a large number of the compromised users’ sensitive information from the Equifax breach is still actively in use in account takeover (ATO) attacks. Cybercriminals can combine data from different breaches – for example, name and address from one with the date of birth and password from another – to increase the success rate of credential stuffing. The Equifax data breach has key data like the last four digits of a social security number and date of birth. These could be used to take full control of user accounts without their knowledge. The Equifax data breach was particularly harmful to any online business since it possibly involved every U.S. consumer and their sensitive data all in one massive breach.”
The good news for Equifax is that the $700 million data breach settlement is, in many ways, a global settlement. It completely wipes the slate clean for Equifax in terms of possible fines, penalties and lawsuits. For that $700 million data breach settlement, the company will settle completely with the FTC, the Consumer Financial Protection Bureau (CFPB) and state attorneys generals in 48 U.S. states. In addition, the company will resolve a nationwide consumer class-action lawsuit. Of the $700 million total involved in the data breach settlement, $300 million will go into a restitution fund for impacted consumers. This total will cover all losses and financial duress suffered by the victims, and also help to create a future fund to cover credit monitoring and compensation costs. Another $100 million will be earmarked for the CFPB, and another $175 million will go towards the state attorneys general. Going forward, Equifax will also have to commit to giving customers six free credit reports for 7 years, on top of the free credit report that they must provide annually. In addition, Equifax must do away with the fees (ranging from $3 to $10) for freezing and unfreezing credit reports of customers.
Tightening up security practices at Equifax
In a press release that the FTC issued to describe the data breach settlement, the regulatory agency made clear that much more is expected of Equifax in the future. In addition to paying out the whopping $700 million fine, Equifax must also designate one key employee to take responsibility for the IT security of the company; conduct an annual security assessment; receive annual certification from the company’s Board of Directors; commit to a more rigorous schedule of testing and monitoring; and agree to third-party assessments of the company’s information security every two years. In other words, the FTC still does not trust Equifax to do the right thing. It’s only by elevating the matter to a Board-level priority and publicizing matters that the FTC can really force Equifax to clean up its sloppy security practices.
It is still difficult to explain how a data-centric company whose entire business model was built around data allowed cyber criminals to walk away with some of the most sensitive information possible. As media publications such as the Wall Street Journal have documented, the cyber thieves gained access to personal information such as Social Security Numbers, driver’s license numbers and even physical home addresses. Armed with that information, it’s easy to see how cyber thieves could have constructed a massive number of false identities and brought financial or reputational ruin upon any of the 143 million Americans affected by the Equifax data breach.
Chris Kennedy, CISO and VP of customer success at AttackIQ, commented on the security failings at Equifax: “The Equifax 2017 breach was articulated as a ‘failure to patch’ but the reality is the security failures were far more broad. Poor IT governance, vulnerability discovery, application architecture, identity and privileged access management and other factors led to 147 million consumers’ highly sensitive records being exfiltrated. Because the company was not practicing continuous monitoring of its IT environment combined with a failure to validate security controls on an ongoing basis, hackers had access to its system for 76 days without detection. While part of the settlement requires Equifax to make changes to its business practice to strengthen security, simply investing in more cybersecurity tools is useless unless they can be sure that those tools are effective. Case in point, Equifax shared that between 2014-2017, they spent $250 million on cybersecurity investments – yet still suffered one of the worst data breaches of all time.”
A warning for other companies
So what impact will the Equifax data breach settlement have for other large companies that have built their businesses around data? Forcing Equifax to commit to compensating consumers, while simultaneously forcing the board of directors to get involved, is a sign that the nation’s biggest companies are going to be held to a much higher standard when it comes to consumer data. Those familiar with the Equifax matter say that companies that fail to take the most basic steps to protect sensitive data and information (such as any information pertaining to credit cards or official government-issued documents) are going to be penalized the hardest.
Justin Fox, director of devops engineering at NuData Security, a Mastercard Company, provided his view of what will happen next: “The size of the recent Equifax settlement should signal the significance of protecting and securing consumer data – and shows that regulators are serious about companies securing the complex and private consumer information they are entrusted with. Even though Equifax is helping individuals recover from this breach, it will take years and for the full scope to be apparent, and the impact is expected to be immense. Organizations must take steps to secure all consumer and employee data, educate employees so they don’t click on phishing emails, and continuously monitor networks for intrusion, 24×7. Most importantly, organizations need to be much more diligent about performing proactive reviews of their systems, networks and software, to discover system and process vulnerabilities quickly, and apply proper mitigating technologies.”
At this point, it looks like the Federal Trade Commission (FTC) has stepped up to become the lead watchdog agency when it comes to protecting consumer data and personal information. The $700 million Equifax data breach settlement is proof positive that the FTC now has real power behind it to enforce this new agenda. Just 12 months ago, it looked like federal agencies were all bark, and no bite. The massive Equifax data breach settlement could go a long way in reversing that popular perception.