Equifax agrees $700m penalty over mass data breach
22 July 2019, 12:27 | Updated: 22 July 2019, 13:26
Credit reference agency Equifax has agreed to pay up to $700m (£560m) in a settlement with US regulators over a data breach in 2017.
The attack affected personal information including social security numbers, names, dates of birth, addresses, credit card numbers and driver's licence numbers, impacting more than 147 million consumers.
Hackers exploited a vulnerability in a company database to access an unsecured file that contained admin details stored in plain text, giving them access to vast amounts of information and allowing them to operate undetected on Equifax's network for months, regulators said.
The company has agreed a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB) and 50 US states and territories including New York state which alone saw 8.5 million residents' personal information illegally accessed.
New York attorney general Letitia James said: "Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk.
"This company's ineptitude, negligence, and lax security standards endangered the identities of half the US population."
The settlement will see up to $425m put into a fund that will provide affected consumers with credit monitoring services and also compensate consumers for expenses as a result of the data breach.
It has also agreed to pay $175m to 48 states plus the District of Columbia and Puerto Rico, as well as $100m to the CFPB in civil penalties.
The FTC alleged that Equifax failed to fix, or "patch", its network after being alerted in March 2017 to a "critical security vulnerability" affecting a database that handles inquiries from consumers about their personal credit data.
An order by its security team for this action to be taken within 48 hours of receiving the alert was not followed up, the regulator said.
It was not until July 2017 that it discovered that the database was "unpatched", when its security team detected suspicious traffic on the company's network.
FTC chairman Joe Simons said: "Companies that profit from personal information have an extra responsibility to protect and secure that data.
"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.
"This settlement requires that the company takes steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."
In Britain, Equifax was fined a maximum £500,000 by the Information Commissioner's Office last September, after the data breach affected 15 million people in the UK.
The data breach took place before the General Data Protection Regulation (GDPR), under which it could have faced a penalty of up to £120m, came into force in Britain.
(c) Sky News 2019: Equifax agrees $700m penalty over mass data breach