2017 Data Breach Will Cost Equifax At Least $1.38 Billion
Aquilino Neadstine
In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around "unauthorized access" to T-Mobile's systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs' counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.
Home Depot has reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016 Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks' losses.
In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 -- the biggest data-breach fine in history at the time -- for violation of state data breach notification laws.
In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement, if approved by a federal judge in Manhattan, will resolve a class-action lawsuit was that filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients. It is alleged data center equipment decommissioned by the firm in 2016 and 2019 was not efficiently wiped clean and a software flaw meant that unencrypted, sensitive data was visible to whoever purchased the equipment.
Since the September 2017 announcement of the Equifax data breach, the credit bureau has spent $1.6 billion to fortify its cybersecurity defenses. Five years later, consumer data kept by Equifax and the two other major credit bureaus, Experian and TransUnion, remains vulnerable to breaches, though. As Lee puts it, bulletproof cybersecurity does not exist.
Two years after the data breach, which began on May 13, 2017, and the company discovered and began remediating on July 29, 2017, resulting legal costs and investigations haven't stopped taking a big bite out of the company's bottom line.
The company's 2019 first quarter balance sheet lists $82.8 million in technology and data security costs arising from the data breach, including "incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert." The latter is an Equifax product that allows individuals to lock and unlock their credit report with Equifax.
As Equifax makes clear in its latest quarterly filing, it's not yet certain how much the 2017 data breach will end up costing the company. Equifax says it faces more than 1,000 individual consumer actions, including lawsuits seeking class-action status, in U.S. state and federal courts. Last Monday, meanwhile, the state of Indiana because the latest to sue Equifax over the data breach.
This demonstrates that adequate security measures provide the only truly effective defence against cyber crime. An insurance policy helps, but only if you avoid major mistakes that can escalate the costs associated with data breaches.
As determined through postmortem analysis, the breach at Equifax started on May 12, 2017 when Equifax had yet to update its credit dispute website with the new version of Struts.[5][6] The hackers used the exploit to gain access to internal servers on Equifax' corporate network. The information first pulled by the hackers included internal credentials for Equifax employees, which then allowed the hackers to search the credit monitoring databases under the guise of an authorized user. Using encryption to further mask their searches, the hackers performed more than 9000 scans of the databases, extracted information into small temporary archives that were then transferred off the Equifax servers to avoid detection and removed the temporary archives once complete.[7] The activities went on for 76 days until July 29, 2017 when Equifax discovered the breach[8][9][10] and subsequently, by July 30, 2017, shut off the exploit.[4] At least 34 servers in twenty different countries were used at different points during the breach, making tracking the perpetrators difficult.[7] While the failure to update Struts was a key failure, analysis of the breach found further faults in Equifax' system that made it easy for the breach to occur, including the insecure network design which lacked sufficient segmentation,[11] potentially inadequate encryption of personally identifiable information (PII),[12] and ineffective breach detection mechanisms.[13]
Numerous lawsuits were filed against Equifax in the days after the disclosure of the breach.[48][49] In one suit the law firm Geragos & Geragos has indicated they would seek up to $70 billion in damages, which would make it the largest class-action suit in U.S. history.[48] Since October 2017, hundreds of consumers have sued Equifax for the data breach, some winning small claims cases in excess of $9,000, including actual damages, future damages, anxiety, monitoring fees and punitive damages.[50]
The Trusted ID Premier website contained terms of use, dated September 6, 2017 (the day before Equifax announced the security breach) which included an arbitration clause with a class action waiver.[68][69] Attorneys said that the arbitration clause was ambiguous and that it could require consumers who accepted it to arbitrate claims related to the cybersecurity incident.[69] According to Polly Mosendz and Shahien Nasiripour, "some fear[ed] that simply using an Equifax website to check whether their information was compromised bound them to arbitration".[70] The equifax.com website has separate terms of use with an arbitration clause and class action waiver, but, according to Brian Fung of The Washington Post, "it's unclear if that applies to the credit monitoring program".[71] New York Attorney General Eric Schneiderman demanded that Equifax remove the arbitration clause.[72] Responding to arbitration-related concerns, on September 8, Equifax issued a statement stating that "in response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident".[72] Joel Winston, a data protection lawyer, argued that the announcement disclaiming the arbitration clause "means nothing" because the terms of use state that they are the "entire agreement" between the parties.[72] The arbitration clause was later removed from equifaxsecurity2017.com,[72] and the equifax.com terms of use were amended on September 12 to state that they do not apply to www.equifaxsecurity2017.com, www.trustedidpremier.com, or www.trustedid.com and to exclude claims arising from those sites or the security breach from arbitration.[73][74]
Equifax has been criticized by security experts for registering a new domain name for the site name instead of using a subdomain of equifax.com. On September 20, 2017, it was reported that Equifax had been mistakenly linking to an unofficial "fake" web site instead of their own breach notification site in at least eight separate tweets, unwittingly helping to direct a reported 200,000 hits to the imitation site. A software engineer named Nick Sweeting created the unauthorized Equifax web site to demonstrate how the official site could easily be confused with a phishing site. Sweeting's site was upfront to visitors that it was not official, however, telling visitors who had entered sensitive information that "you just got bamboozled! this isnt [sic] a secure site! Tweet to @equifax to get them to change it to equifax.com before thousands of people loose [sic] their info to phishing sites!" Equifax apologized for the "confusion" and deleted the tweets linking to this site.[78][79][80]
Equifax has agreed to pay at least $1.4 billion to settle multidistrict litigation brought on behalf of 147 million U.S. consumers and pay millions more to resolve civil complaints brought by the federal government and multiple state attorneys general over its massive 2017 data breach.
According to IBM's Cost of a Data Breach 2022 report, the global average cost of a data breach is USD 4.35 million; the average cost of a data breach in the United States is more than twice that amount, USD 9.44 million. Eighty-three (83) percent of organizations surveyed in the report experienced more than one data breach.
The details: In 2017, Equifax suffered one of the largest data breaches in history that impacted approximately 147 million consumers globally. In 2019, the company agreed to pay at least $575 million as part of settlements with U.S. federal and state authorities.
This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud," FTC Chairman Joe Simons said in a statement.
Governor Andrew M. Cuomo and Attorney General Letitia James today announced that New York is holding Equifax Inc. accountable for the 2017 data breach that exposed the sensitive financial and personal information of millions of Americans, including 8.5 million New Yorkers. The settlement stems from separate investigations by the Department of Financial Services and the New York Attorney General's Office into the credit rating agency and two of its subsidiaries, Equifax Information Services LLC and Equifax Consumer Services LLC. Under the settlement, the companies will pay a fine of $10 million to DFS, $9.2 million to the New York Attorney General's Office as part of $175 million to Multi-State Attorney Generals including New York, and Equifax has committed up to $425 million to the consumer restitution fund.
aa06259810