Lesson from Equifax penalty (at least $575M): Breach ‘entirely preventable’

Credit-reporting agency Equifax on Monday reached a proposed settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and a coalition of 50 attorneys general—comprising 48 states, the District of Columbia, and the Commonwealth of Puerto Rico—resulting from a massive 2017 data breach. As part of the settlement, Equifax will pay $575 million, which could grow to $700 million.

“The company’s participation in the consumer settlement does not constitute an admission by the company of any fault or liability, and the company does not admit fault or liability,” Equifax said in a Form 8-K, filed with the Securities and Exchange Commission.

The multistate investigation found Equifax failed to take basic measures to secure its network that led to a September 2017 data breach that impacted approximately 147 million people. Breached information included names, Social Security numbers, birth dates, addresses, credit card numbers, and, in some cases, driver’s license numbers.

“Equifax failed in its fundamental responsibility to safeguard consumers’ sensitive financial information,” said Pennsylvania Attorney General Josh Shapiro, who co-led the multistate investigation. “Equifax knew that there were serious flaws in their system, but still they did not take appropriate steps to fix it.”

Under the proposed settlement, Equifax will pay $300 million to a Consumer Restitution Fund that will provide affected consumers with credit-monitoring services. The fund will also compensate consumers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. If the $300 million is exhausted, Equifax has agreed to provide an additional $125 million in funds.

“Equifax knew that there were serious flaws in their system, but still they did not take appropriate steps to fix it.” 

Josh Shapiro, Pennsylvania Attorney General

Equifax must also offer affected consumers extended credit-monitoring services for a total of 10 years. During the first four years, consumers may get credit reports from all three credit bureaus: Equifax, Experian, and TransUnion. Additionally, beginning in January 2020, Equifax will provide all U.S. consumers with six free credit reports each year for seven years—in addition to the one free annual credit report that Equifax and the two other nationwide credit reporting agencies currently provide.

Equifax will also pay $175 million to 48 states, the District of Columbia, and Puerto Rico, as well as $100 million to the CFPB in civil penalties.

Equifax Chief Executive Officer Mark Begor said in a statement that the settlement is “a positive step for U.S. consumers and Equifax as we move forward from the 2017 cyber-security incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company.”  To date, Equifax has invested $1.25 billion into the company’s technology and security, Begor said.

This isn’t the only fine Equifax has had to pay in relation to the breach. In September 2018, the U.K. Information Commissioner’s Office (ICO) issued Equifax a £500,000 fine (U.S. $624,000), the maximum allowed at the time. The ICO investigation found that, although the information systems in the United States were compromised, Equifax was responsible for the personal information of its U.K. customers.

‘Entirely preventable’ security failures

The basic security measures Equifax failed to take should serve as a case study for all compliance officers on what not to do when a security vulnerability is discovered.

During a press conference Monday, Maryland Attorney General Brian Frosh said what is “particularly aggravating” about the actions of Equifax was its “failure to patch critical vulnerability in its network,” which went unnoticed for 76 days.

Specifically, the FTC complaint said Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. The Equifax breach also resulted in a scathing Congressional report released in December 2018, calling the Equifax breach “entirely preventable.”

Although Equifax’s security team ordered each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees, according to the complaint.

In fact, Equifax did not discover its ACIS database was unpatched until July 2017, when its security team detected suspicious traffic on its network. A company investigation revealed multiple hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network for months.

Basic security measures Equifax failed to implement include a policy to ensure security vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network once one database was breached; and failing to install robust intrusion detection protections for its legacy databases.

Despite its failure to implement basic security measures, Equifax’s privacy policy at the time stated that it limited access to consumers’ personal information and implemented “reasonable physical, technical and procedural safeguards” to protect consumer data.

The FTC alleges Equifax violated the FTC Act’s prohibition against unfair and deceptive practices and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program to protect the security, confidentiality, and integrity of customer information.

Compliance lessons

The settlement requires Equifax take steps to improve its data security going forward—steps that all compliance officers should look to as best practices for securing the information-security program within their own companies.

Specifically, Equifax must:

• Designate an employee to oversee the information-security program;
• Minimize its collection of sensitive data and the use of consumers’ Social Security numbers;
• Conduct annual assessments of internal and external security risks and implement safeguards to address potential risks, such as patch management and security remediation policies, network intrusion mechanisms, and other protections;
• Obtain annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information-security requirements;
• Test and monitor the effectiveness of the security safeguards; and
• Ensure service providers that access personal information stored by Equifax also implement adequate safeguards to protect such data.

During the press conference, Maneesha Mithal, associate director of the division of privacy and identity protection at the FTC, additionally noted that “many executives that were in place at Equifax at the time of the breach have since moved on.”

The proposed FTC settlement further requires Equifax to obtain third-party assessments of its information-security program every two years. Under the order, the independent, third-party assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document reviews.

The order grants the FTC the authority to approve the assessor for each two-year assessment period. The order also requires Equifax to provide an annual update to the FTC about the status of the consumer claims process.

The Commission vote authorizing the staff to file the complaint and proposed stipulated final order was 5-0. The FTC expects to file the complaint and proposed order on July 22 in the U.S. District Court for the Northern District of Georgia.

The fine could have been higher if the FTC had the authority to levy civil penalties (instead of equitable monetary relief), FTC Chairman Joseph Simons said during the press conference. “Fortunately, other agencies were able to fill in the gap this time, but that will not always be the case, which sends the wrong signal regarding deterrence,” said Simons, who reiterated his calls to Congress to give the FTC greater authority to impose penalties.

Compliance officers should heed the Equifax settlement as a warning. “Companies that profit from personal information have an extra responsibility to protect and secure that data,” Simons said.

“I hope this case sends a message that it doesn’t pay to underinvest in data security,” Mithal said.

Frosh said the settlement is important in another way. “It sets a standard for credit-reporting agencies,” he said, noting that other credit-reporting agencies will be held to the same standards as Equifax.

CFPB Director Kathleen Kraninger warned the Equifax announcement is “not the end of our efforts to make sure consumers’ sensitive personal information is safe and secure. The incident at Equifax underscores the evolving cyber-security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers,” she said. “Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”