The Latest / Data Security News
August 6, 2019
The settlement for the Equifax data breach of 2017 has been agreed by the FTC. It is the largest of its kind ever agreed by the agency and could see Equifax pay up to $700m in compensation.
Those affected by the data breach, and there was 147 million in the US alone, have been given two options for claiming compensation. The breach compromised some 145 million social security numbers and the payment card details of 209,000 cards were stolen. For many, the attack could have resulted in serious consequences. The compensation being offered under the terms of FTC settlement, sees those affected able to either claim a one-off cash payment of $125 or be given a credit monitoring service from Equifax at no cost.
At the moment, more people are opting for the $125 pay out than the FTC expected and that could lead to some issues down the line. FTC assistant director Robert Schoshinski explained:
“The pot of money that pays for that part of the settlement is $31 million. A large number of claims for cash instead of credit monitoring means only one thing: each person who takes the money option will wind up only getting a small amount of money. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.”
The credit monitoring service being offered in the settlement may be more valuable in the longer term, but considering it is a service offered by Equifax, the very company that allowed the data breach, it perhaps should not be unexpected that the customers affected in the case have opted for the payout instead. It seems an oversight by the FTC not to have recognized that would be the case.
Before this settlement, Uber had been the unwelcome recipients of the largest fine ever handed out by the FTC. That was settlement totaled $140m, making the Equifax fine the largest by some distance.
Alongside the massive scale of the incident, there were a couple of mistakes that Equifax made that also resulted in the fine being so large. First, there were known vulnerabilities that the company was warned about that were not properly addressed. In addition, some personal and sensitive customer data was not stored in an encrypted format.
Once the hackers were in, data stored as plain text was easy for them to read and to steal. This lack of proper protection is no longer acceptable with today’s cyber security standards. Not improving security, and not employing encryption, will not only lead to bigger and more damaging hacks against an organization, but also to harsher fines and larger punishments in the subsequent legal cases.
At Global Data Sentinel, we have solutions that help organizations implement the type of strong data encryption and protection that takes no risks with their data – find out more here.