Equifax will pay close to £340 million to a restitution fund for victims in a settlement with the US Federal Trade Commission (FTC) over a 2017 breach that exposed the personal information of 148 million people.
The company came under fire for its poor security practices that had it missing an Apache Struts vulnerability responsible for the breach – not once, but twice.
In testimony before the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection in the wake of the breach, former Equifax CEO and Chairman Richard Smith said the company learned of the Apache Struts vulnerability from US CERT and then twice searched for any issues in its networks coming up empty each time and thus allowing the flaw to remain unpatched in its Consumer Dispute Portal.
Responding to the FTC settlement, New York Attorney General Letitia James minced no words when assessing Equifax. "This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population," she said in a statement.
"We can be confident that a large number of the compromised users’ sensitive information from the Equifax breach is still actively in use in account takeover (ATO) attacks," said Deepak Patel, security evangelist with PerimeterX, who explained that because the breach is particularly dangerous because it included birthdates and the last four digits of Social Security numbers. "These could be used to take full control of user accounts without their knowledge."
Robert Cattanach, partner at law firm Dorsey & Whitney contended "federal and state regulators have lost all patience with companies whose lax security measures have compromised extremely sensitive consumer information, and the Equifax settlement raises the bar considerably for any company suffering a similar hack in the future."
Cattanach called the Equifax breach "especially egregious given that the hackers exploited a vulnerability that Equifax easily could have fixed, which was then compounded by a flawed detection system that allowed the hackers to roam with impunity."
Not only does the settlement reveal "the intense interest all governmental entities have in data security – note the wide scope of authorities involved in the settlement," Ken Dort, a data-security and privacy lawyer at Drinker Biddle & Reath, said "It also reveals the math supporting the calculations used to reach the size of the consumer fund and the governmental fines, and thus the high levels of exposure all companies now face with respect to data security, and the importance of proactive cybersecurity actions by all companies."
The terms of the FTC settlement also include a US$175 million (£140 million) fine to states and US$50 million (£40 million) to the Consumer Financial Protection Board (CFPB). It also frees the credit reporting company from a bevy of investigations by states and the CFPB as well as class action lawsuits by those the breach affected.
"Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep," aenator Mark Warner, who sits on the Senate Banking Committee, said in a statement.
The settlement, along with large fines recently levied against Facebook and Marriot, mark a shift in the severity of punishment regulators are willing to mete out and a cautionary tale to companies interested in avoiding hefty fines and other actions.
"The past two weeks’ stiff penalties for data security and privacy mishaps here in the US and across the pond, signal a sea change in how companies across the world must handle the consumer data they amass and distribute," warned Alex Calic, strategic technology partnerships officer for the Media Trust.
"We’ll see more and more regulators to ‘bring the hammer down’ and levy some of the largest fines ever seen to raise the sense of urgency on businesses to protect their client sensitive information," said CEO, CipherCloud CEO Pravin Kothari, who called the actions "a new precedent and a wake-up call to all businesses to be extremely careful."
The FTC settlement should unsettle upper management and corporate boards. "The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place," said Adam Laub, CMO at STEALTHbits Technologies.
Even in the face of stiff punishment, though, companies may fall short. "Many businesses are still not doing enough to protect their client sensitive information. They do not realise that internet and cloud services are not bullet-proof. They assume that their information is safe with service providers. But a simple misconfiguration, a bug or abuse of API could cause major exposure and havoc," said Kothari.
Adam Laub, CMO at STEALTHbits Technologies, said, "The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place," said Adam Laub, CMO at STEALTHbits Technologies.
Government and lawmakers, too, must play roles, tightening the rules, boosting oversight and protecting consumers.
"We need a consumer compensation fund, into which all of these fines are paid, for disbursement to long-abused US consumers," said Lucy Security CEO Colin Bastable. "And maybe we could rein in the credit reporting industry – if they did not collect and sell our personal financial data, we would not be in this mess."
That’s the thinking behind legislation supported by Warner and Sen. Elizabeth Warren. "While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again," said Warner, who along with Warren, sponsored the Data Breach Prevention and Compensation Act compensate consumers for stolen data, levy mandatory penalties on credit reporting agencies (CRAs) for breaches, and give the FTC more direct supervisory authority over CRAs’ data security. Such a bill would have required Equifax to pay up at least US$1.5 billion (£1.2 billion) post-breach.
"As Equifax is the current poster boy of bad information security, a fine of this magnitude isn’t surprising. This was the largest data breach of 2017 and it was much more severe than simple credit card information," said Saryu Nayyar, CEO of Gurucul.
According to analysis of the breach, if Equifax had simply implemented an effective patch management policy, this incident could have been prevented. Instead, the intruders had free reign on critical Equifax systems for months.
"If Equifax had simply invested just a small portion of the money they’re paying for this fine into modern cybersecurity technology, they could have avoided this massive expense and the reputation damage that the company took," Nayyar added.