Biggest credit reporting firm pays $700M USD data breach fine

Data protection specialists say that, after two years, business advisory firm Equifax has reached an agreement with U.S. government agencies to pay around $700M USD due to massive data breach happened in the company in 2017.

The agreement involves bodies such as the Federal Trade Commission (FTC), the Consumer Protection Bureau, and several states’ attorney generals. As reported, the FTC will release details about the agreement in the upcoming days, as the amount that Equifax will have to pay has not yet been fully defined, as the company can still refuse the final amount of the fine. It is also unknown how many victims of the data breach will receive compensation, as so far it is known that part of the agreement is to create a fund to compensate for the damage to those affected by the incident.  

According to data protection specialists, a couple of years ago the company confirmed that a group of unidentified threat actors managed to compromise their security and access their systems; during the incident, the hacking group stole confidential information from around 140 million Equifax customers, mainly companies based in countries such as the United States, Canada and the United Kingdom. “I apologize to users and our business customers for the concern and frustration this incident is causing them,” Said Richard F. Smith, president of the company.

Subsequent investigations revealed that the data gap was presented due to an uncorrected vulnerability in outdated software used by company employees; the then CEO of the company was fired for trying to cover up the incident. In addition to the million-dollar damage repair, Equifax undertook to update its computer security policies to prevent similar incidents in the future.

According to the data protection specialists from the International Institute of Cyber Security (IICS), among all the records compromised during this incident stands out the theft of more than 200k payment card numbers, in addition to almost 190k personal identification information documents, which could have been used by malicious hackers to perform illegal activities, such as card fraud or identity theft.