Equifax Settles Data Breach Charges
Print Issue: November 2019
Contrary to popular belief and Hollywood depictions, gold mining is not for the faint of heart. It takes time, resources, and—typically—some expertise in geography, geology, chemistry, and engineering to be successful.
And the likelihood of discovering gold and developing that find into a mine is extremely low—less than 0.1 percent, with just 10 percent of global gold deposits sufficient to justify further development, according to the World Gold Council.
But for those who put in the work, the profits can be enormous—allowing miners to enter a market where gold is valued at $1,499.50 per ounce, as of press time in September 2019.
The same is true for pulling off a major data breach. It takes time to identify the target, research and reconnaissance to determine the best method of infiltration, and then the ability to carry out the attack, obtain the data, and evade arrest and prosecution.
In 2017, hackers struck the data equivalent of a gold mine: Equifax. The consumer credit reporting agency confirmed that individuals had obtained access to its systems and compromised data on roughly 147 million Americans. Equifax also said British and Canadian residents had been impacted by the breach.
The hackers made off with a variety of personal data, including Social Security and driver’s license numbers, birth dates, names, and credit card information.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” according to a statement Equifax released after disclosing the breach. “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
Following the breach, Equifax faced intense scrutiny from consumers, regulators, and lawmakers. Equifax set up a website so consumers could determine if any of their data had been compromised in the breach and allow them to sign up for credit monitoring and identity theft protection. But, a disclaimer on the initial version of the website could have prevented individuals from filing suits against the consumer reporting agency for the breach.
“By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claim where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed,” the disclaimer said.
Then New York Attorney General Eric Schneiderman directed his staff to contact Equifax to have the disclaimer removed, which Equifax did, and investigate how the breach had occurred.
Investigators later determined that the breach was preventable because hackers infiltrated Equifax through a vulnerability that had a patch available months earlier from the Apache Software Foundation.
In fact, the U.S. Computer Emergency Readiness Team (US-CERT) had notified Equifax of the vulnerability to its systems in March 2017 and encouraged the agency to update its software to a new version that had been released—for free—for all Apache software users.
The Federal Trade Commission (FTC) opened an investigation into Equifax and found that the system the credit reporting agency was using, called ACIS, was originally built in the 1980s and ran old systems that were no longer supported.
Because of this, Equifax itself considered ACIS “to be legacy infrastructure and its own documents describe the system as ‘archaic’ and using ‘antiquated technology,’” according to a complaint filed by the FTC. “As of 2016, about 25 million consumers interact with ACIS every year, with about 6.6 million of those consumers disputing transactions in their credit reports.”
The ACIS system needed the patched version of the Apache software, and Equifax’s security team was aware. It had received US-CERT’s alert and then sent it out internally to more than 400 employees, directing those responsible for Apache to patch the vulnerability within 48 hours.
The patch, however, was never implemented because the email did not reach the employee who was responsible for maintaining the ACIS Dispute Portal. A subsequent vulnerability scan, which was improperly configured, then failed to alert Equifax that the patch had not been implemented.
Months later, in July 2017, Equifax would become aware of suspicious traffic on its ACIS Dispute Portal—beginning the process of identifying the massive data breach and mitigating its response.
Due to these missteps, the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories alleged that Equifax failed to take reasonable measures to secure its network, leading to the massive data breach.
A year later, the United Kingdom Information Commissioner’s Office (ICO) was the first regulator to fine Equifax for failing to protect consumers’ personal information. The ICO charged the company £500,000 (roughly $625,000).
Canada’s Federal Privacy Commissioner Daniel Therrien later found, in April 2019, that Equifax fell short of its obligations to protect Canadians’ data.
“Given the vast amounts of highly sensitive personal information Equifax holds, and its pivotal role in the financial sector as a credit reporting agency, it was completely unacceptable to find such significant shortcomings in the company’s privacy and security practices,” Therrian said in a statement. But the Canadian regulator stopped short of fining Equifax for the breach.
In July 2019, approximately two years after the breach, Equifax agreed to a settlement of at least $575 million—and potentially up to $700 million. Forty-eight U.S. states, the District of Columbia, and Puerto Rico will receive a total of $175 million in civil penalties; the CFPB will receive $100 million.
A portion of the settlement funds, $300 million, will go to a fund to provide affected consumers with credit monitoring services or to provide compensation for consumers who purchased credit or identity monitoring services from Equifax as a result of the breach. If necessary, Equifax will add an additional $125 million to that fund to compensate consumers for their losses.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
The consumer reporting agency will also provide all U.S. consumers with six free credit reports each year through 2027—beginning in 2020. This is in addition to the one free annual credit report Equifax already provides.
Along with the reparations for consumers, the settlement also requires Equifax to implement a variety of security measures to prevent a similar breach from occurring in the future.
“Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures,” according to the FTC. “This includes failing to implement a policy to ensure that security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases.”
All of these lapses were alleged violations of the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Safeguards Rule.
To remedy this, the settlement requires Equifax to implement a comprehensive information security program that designates an employee to oversee the program, conducts annual assessments of internal and external security risks, and implements safeguards to address those risks.
Equifax also must obtain annual certifications from its board of directors—or a relevant subcommittee—that it has complied with the settlement order’s information security requirements.
Additionally, Equifax is required to test and monitor the effectiveness of its security safeguards, and ensure that service providers who have access to personal information Equifax stores also implement those safeguards.
And, as an added measure of protection, Equifax must have its information security program assessed by a third-party every two years.
“Under the order, the assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document reviews,” according to the FTC. “The order grants the commission the authority to approve the assessor for each two-year assessment period. The order also requires Equifax to provide an annual update to the FTC about the status of the consumer claims process.”
This last portion will be extremely critical for Equifax, which originally allowed consumers who had been affected by the breach to request 10 years of credit monitoring or $125. So many individuals selected the $125 fee that just weeks later Equifax issued a statement saying the payment amount would be far less than $125 to each person because the fund created to pay consumers only contains $31 million.
And while Equifax is required to take these steps to prevent a future breach of its gold mine of data, the FTC’s ability to penalize other companies that commit similar missteps is limited, said Simons.
“The CFPB and the states were able to obtain civil penalties for this massive breach by a major financial institution,” he explained. “The FTC could not, because we do not have civil penalty authority for initial violations of the FTC Act or the Gramm-Leach-Bliley Safeguards Rule. Fortunately, other agencies were able to fill in the gap—this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence.”
Because of this, Simons has advocated for the U.S. Congress to act and pass legislation that would give the FTC this ability. U.S. Senator Mark Warner (D-VA), a member of the Senate Banking Committee, supports such a measure.
“While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” Warner said in a statement.
He and U.S. Senator Elizabeth Warren (D-MA), also a member of the Banking Committee and a Democratic candidate for president, introduced the Data Breach Prevention and Compensation Act. The bill is designed to provide robust compensation for consumers who have their data stolen, as well as impose mandatory penalties on consumer reporting agencies for data breaches. It would also give the FTC more direct supervisory authority over consumer reporting agencies.
“Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information,” according to Warner’s office.
U.S. Representatives Elijah Cummings (D-MD) and Raja Krishnamoorthi (D-IL) introduced a companion bill in the House of Representatives. But as of Security Management’s press time in September neither piece of legislation had moved forward.