The sum of $700m may change, depending on how many consumer claims are added.
In 2017, consumer credit reporting agency Equifax was the subject of a massive data breach that exposed the personal information of 148m Americans. The company collects and aggregates information for more than 800m individual customers and 88m businesses worldwide.
Equifax had been warned of a huge vulnerability in its system in December 2016, when a security researcher noticed an online portal that had been created for internal use by Equifax employees only was accessible to the open internet.
This individual later told Vice’s Motherboard that they could have downloaded the data of all Equifax’s customers in 10 minutes. This data included names, birth dates, social security numbers and other sensitive pieces of information that are needed to apply for credit.
The security researcher got in touch with Equifax almost immediately after discovering the vulnerabilities, but said that Equifax did not close the portal until six months later, in June 2017. By then, the vulnerabilities had already been exploited in multiple breaches that occurred between March and July.
After a 14-month investigation, US lawmakers found that the company failed to appreciate and mitigate basic security risks.
Now, according to The Wall Street Journal, Equifax is nearing a deal to settle federal investigations into the breach. This deal will settle a nationwide consumer class-action lawsuit, initiated by the individuals affected by the breach.
The Wall Street Journal reported: “Under the agreement the credit-reporting firm would pay around $700m to settle with the Federal Trade Commission, the Consumer Financial Protection Bureau and most state attorneys general, according to people familiar with the matter.”
The sum of $700m may change, depending on how many consumer claims are added. Many of the individuals whose security was violated by the breach had never directly dealt with the company. Their information was in Equifax’s system after being shared by lenders.
Some of this money could be used to create a compensation fund for customers who have been harmed by the breach. Sources that The Wall Street Journal spoke to said that this settlement could even be announced as early as today (22 July).
The publication reported that on top of paying out $700m in this settlement, Equifax will spend approximately $1.25bn upgrading its security systems and technology.