Equifax has agreed to a settlement over its 2017 breach that affected 147 million people in the US. The company has agreed to pay up $700 million, including up to $425 million to help people affected by the data breach.
Equifax, a major US consumer credit rating firm, disclosed the breach in September 2017 which happened after it failed to patch a known security flaw in one of its websites that used Apache Struts, a tool for building Java web apps.
Several months before Equifax revealed it was hacked, US-CERT had issued a warning for organizations to apply the Apache Software Foundation’s patch for the flaw 2017-CVE-5638.
Soon after US-CERT's alert, hackers used the Struts flaw in Equifax’s Automated Consumer Interview System (ACIS) online dispute portal to access personal info on 147 million consumers. The Federal Trade Commission (FTC) alleges hackers could do this because of Equifax’s “failure to undertake numerous basic security measures”.
The breach exposed 147 million US consumers’ names and dates of birth, 145.5 million social security numbers, and 209,000 payment card numbers and expiration dates. Hackers also pilfered 20 million telephone numbers and 17.6 million email addresses.
The FTC highlights four key failures by Equifax, including it not having a working policy to ensure software is patched, failing to segment its databases, not employing adequate intrusion detection protection, and not encrypting sensitive consumer information.
The settlement aims to compensate victims for the firm’s security shortcomings and is framed around its failure to deliver on claims in its product privacy statements.
Equifax has agreed to pay at least $575 million as part of a settlement with the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 states and territories.
It’s also agreed to pay $175 million to 48 states and an additional $100 million civil penalty to the CFPB.
Affected consumers can get four years of free credit monitoring at either Equifax, Experian, or TransUnion. They can also get up to six more years of credit monitoring of their Equifax credit report. Those who opt not to take up the free credit monitoring may be eligible for a payment of $125 in cash.
Consumers could also get up to $20,000 each based on time spent — at $25 per hour for up to 20 hours — protecting an identity or recovering from identity theft. They could also be reimbursed for money spent on these activities, and up to 25 percent of the cost of Equifax credit monitoring or identity protection products bought between September 7, 2016 and September 7, 2017.
The FTC plans to publish details about how consumers can apply for reimbursements here once that option becomes available.
The FTC alleges in the complaint that Equifax received the Struts alert from US-CERT and even issued an order to 400 staff to apply the patch within 48 hours, but failed to send that email to the employee responsible for maintaining the vulnerable ACIS Dispute Portal. Equifax’s automated vulnerability scanner also failed to detect the flaw because it was configured incorrectly, leaving the website exposed for four months after the initial alert.
Equifax’s failure to segment its network allowed multiple attackers to exploit the ACIS flaw and move onwards to other unrelated databases. And the attackers could access an unsecured file share connected to the ACIS databases to gain admin credentials that weren’t encrypted.
The FTC is expected to announce a $5bn settlement with Facebook as early as this week over its handling of user data that led to political consultancy Cambridge Analytica acquiring data on 87 million Facebook users.
Marriott, which disclosed a massive breach last year affecting over 380 million people, is facing a £99.2m (AU$178m) fine in Europe under its new privacy regulations.