On July 22, 2019, Equifax Inc. agreed to pay $575 million as part of its settlement with the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”), and all 50 U.S. states and territories concerning its 2017 data breach.
The proposed settlement includes a $300 million payment to a Consumer fund that will provide protection and compensation to 147 million affected consumers. The settlement also includes a provision that if Equifax’s initial $300 million payment is insufficient, then an additional amount of up to $125 million will be contributed. Therefore, Equifax could pay $700 million dollars: up to $425 million to the Consumer Fund; $175 million to the states, the District of Columbia and Puerto Rico; and $100 million to the CFPB related to civil penalties.
On September 7, 2017, Equifax disclosed that a massive data breach exposed the sensitive personal information of 147 million consumers (“Breach”). A vulnerable version of Apache Struts, “open-source, MVC framework for creating elegant, modern Java web applications,” used in Equifax’s Dispute Portal opened their system to hackers the Breach. Although Equifax received notification of the Apache Struts vulnerability in March of 2017, it failed to address the problem adequately.
In the summer of 2017, the Equifax identified suspicious traffic on the Dispute Portal. It blocked the traffic but after noticing additional suspicious traffic the portal was ultimately taken offline.
Equifax hired a forensic consultant to determine the extent of the security issue. Between May 2017 and July 2017, multiple hackers gained access to Equifax’s network through the vulnerability in the Dispute Portal. Once inside, the hackers searched dozens of Equifax’s databases which contained consumer’s personal information well beyond what was just contained in the Portal. Hackers also accessed unsecured files which contained administrative credentials enabling further access to Equifax’s network. By August 11, 2017, it was clear that the Breach exposed a large amount of sensitive consumer personal information.
How much was sensitive consumer information was exposed?
The forensic consultant revealed that the compromised files included approximately 147 million names and dates of birth, 145.5 million social security numbers, 99 million addresses, 20.3 million telephone numbers, 17.6 million email addresses, and 209,000 payment card numbers with expiration dates. Unfortunately, and ironically, much of this data came from consumers who had purchased products such as Equifax’s credit monitoring and identity theft prevention.
On July 22, 2019, the FTC brought an action to obtain permanent injunctive relief, restitution, and other relief against Equifax under the Federal Trade Commission Act, the Safeguards Rule, Gramm-Leach-Bliley Act alleging that
Equifax failed to take simple steps that could have prevented the Breach. The proposed settlement between the parties includes four years of credit and identity monitoring for affected consumers from Equifax, Experian, and TransUnion in addition to $1,000,000 in identity theft insurance and Identity Restoration Services.
However, those affected also have the option of an alternative Reimbursement Compensation of up to One Hundred Twenty-Five Dollars ($125), out of pocket expenses which include credit monitoring, costs incurred as a result of placing or removing a security freeze on a Consumer Report with any Consumer Reporting Agency or any other misuse of affected consumer’s information as a result of the Breach.
Were you affected?
To determine if you were affected, use the Equifax Eligibility tool which can be found here: https://eligibility.equifaxbreachsettlement.com/en/eligibility. If you were affected, you have to make a claim to receive any compensation related to the settlement.
Do you need information on how to claim the $125 plus additional expenses?
Don’t jump to take the cash
According to Javelin Research, 16.7 million Americans were victims of identity fraud in 2017. Although the FTC reported the median amount lost to fraud was only $375, that’s three times the minimum settlement amount.
According to the Identity Theft Resource Center’s 2018 End of Year Data Breach Report, there were 1,244 reported breaches and 446,515,334 sensitive records with identifying information exposed. What’s more alarming is that although breaches were down from 2018 but the number of confidential records exposed increased by two and a half times. It is apparent that consumer information will continually be at risk for use.
Unless you have purchased additional credit monitoring or have already been adversely affected and paid money out of pocket, consider taking the four years of credit and identity monitoring mainly for the $1,000,000 of identity theft protection. The four years of monitoring provides more protection than the money. The question is not if your identity will be compromised but, when.
Even if you weren’t affected by the Breach, you can receive six free credit reports each year for seven years in addition to the free annual credit report already provided.