Equifax Agrees to $425 Million Breach SettlementCompany Settles Over 2017 Breach Affecting 147 Million People
Equifax has agreed to a settlement for the data breach that exposed the personal information of 147 million people in 2017.
The settlement with the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories includes up to $425 million to help people affected by the data breach.
The 2017 Equifax breach exposed the personal information of more than 145 million U.S. consumers as well as 15.2 million records of U.K. residents and data on 8,000 Canadians. At the heart of the breach was Equifax's failure to patch a vulnerability in the Apache Struts open-source web application framework, according to numerous investigations.
By taking advantage of that vulnerability, the attackers found their way into the network, had access to the infrastructure for over 70 days and stole data and intellectual property, authorities say.
Under the breach settlement, apart from paying $425 million to help people affected by the breach, the FTC says that Equifax will offer an extensive four-year credit monitoring program for free.
Affected users will have to enroll on the official website and activate the code from the email or letter they received from the company. The FTC says that the users must use the activation code by June 27, 2022.
The FTC says that a breach victim can still file a claim for expenses incurred between Jan. 23, 2020, and Jan. 22, 2024, as a result of identity theft or fraud related to the breach.
These expense include "losses from unauthorized charges to your accounts; fees you paid to professionals, like accountants or attorneys, to help you recover from identity theft; other expenses you incurred while recovering from identity theft, like notary fees, document shipping fees, postage, mileage, and phone charges," the FTC says. "You also can file a claim for the time you spent recovering from identity theft or fraud between January 23, 2020, and January 22, 2024. You can be compensated up to $25 per hour up to 20 hours. There are limited funds available so your claim may be reduced."
In addition, the FTC says that if a user was affected by the data breach and discovers misuse of their personal information, they can get free identity restoration services beginning January 2022, even if they never filed a claim for other benefits.
"To access this benefit, use the lookup tool to confirm that you were affected by the breach. The confirmation page provides a phone number and engagement number to get free help with identity restoration," the FTC says.
In April 2020, Massachusetts and Indiana reached a separate settlement with Equifax over the data breach that exposed the personal information of millions of residents of both states.
Then-Indiana Attorney General Curtis Hill said residents of Indiana would receive $19.5 million as part of its settlement with the company, and Massachusetts Attorney General Maura Healey said residents of that state would receive $18 million to settle its claims.
Equifax at that time also agreed to make changes to its security policies to comply with laws in the two states.
Massachusetts and Indiana were the only two states not involved in the class action lawsuit brought by 48 states, the District of Columbia and Puerto Rico, the U.S. Federal Trade Commission and the Consumer Financial Protection Bureau against Equifax over the data breach, which resulted in a settlement worth at least $575 million that was announced in July 2019.
In January, a federal judge in Atlanta approved a separate settlement between consumers affected by the breach and Equifax, which resulted in the company paying out $380.5 million to cover credit monitoring as well as Equifax promising to spend $1 billion on security improvements (see: Equifax Settles Mega-Breach Lawsuit for $1.38 Billion).
Indictments in the Case
In February 2020, federal prosecutors indicted four members of China's People's Liberation Army who allegedly oversaw the hacking of Equifax's network by first taking advantage of the Apache Struts vulnerability, which eventually allowed them to gain a foothold within the corporate network and steal more company credentials and consumer data (see: 4 in Chinese Army Charged With Breaching Equifax).
Then-U.S. Attorney General William Barr said that the Justice Department typically doesn't investigate and criminally charge members of other country's military or intelligence services, but in cases where intellectual property and citizens' private data is exposed, federal prosecutors will step in.
In April 2019, a congressional report found that some of the malicious traffic associated with the breach came from an IP address in China, but these indictments were the first time that U.S. law enforcement authorities directly tied the breach to the Chinese government (see: Congressional Report Rips Equifax for Weak Security).
Over the years, Atlanta-based Equifax has been criticized by congressional investigators and security experts for its lack of internal security and its failure to promptly patch the Apache Struts vulnerability.