News

Actions

Idaho announces $600 million settlement with Equifax over 2017 data breach

Posted: 11:03 AM, Jul 22, 2019
Updated: 2019-07-22 13:03:45-04

BOISE — Idaho Attorney General Lawrence Wasden announced Monday that a coalition of fifty attorneys general has reached a settlement with Equifax -- as the result of an investigation into a massive 2017 data breach. Officials say the breach occurred after Equifax failed to maintain a reasonable security system. It was the largest breach in history, exposing the data of 56 percent of American adults.

The attorneys general secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million and a $175 million payment to the states. Idaho’s portion is $1,061,064 which, by law, will be deposited into the state’s Consumer Protection Fund.

“I’m pleased to announce this result for Idahoans, as Equifax failed to protect their sensitive data,” Wasden said. “This is a substantial settlement for the states -- and for consumers. I hope it reminds large companies who keep data on-file to protect it with robust security systems. This was an extremely expensive lesson for Equifax to learn.”

On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.

Shortly thereafter, state attorneys general launched an investigation. They found that -- despite knowing about a critical vulnerability in its software -- Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.

Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million -- with $300 million dedicated to consumer redress. If the $300 million is exhausted, the fund can increase by an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of ten years.

Eligible consumers will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry.

To receive email updates regarding the launch of the online registry, consumers can sign up at https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement [idaho.us16.list-manage.com]. Consumers can also call the settlement administrator at 1-833-759-2982 for more information. The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.

Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to, terms:
-making it easier for consumers to freeze and thaw their credit;
-making it easier for consumers to dispute inaccurate information in credit reports; and
-requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.

Equifax has also agreed to strengthen its security practices going forward, including:
-reorganizing its data security team;
-minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;
-performing regular security monitoring, logging and testing;
-employing improved access control and account management tools;
-reorganizing and segmenting its network; and
-reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.