Patch your software. Segment your network. Monitor for intruders. According to tech experts, those are security basics for businesses of any size. But when you are industry giant Equifax – a company in possession of staggering amounts of highly confidential information about more than 200 million Americans – it’s almost unthinkable not to implement those fundamental protections. An FTC, CFPB, and State AG settlement of at least $575 million illustrates the injury to consumers when companies ignore reasonably foreseeable (and preventable) threats to sensitive data. Read on for security tips for your business and what consumers can do to get compensation for their losses and sign up for free credit monitoring. The Equifax data breach has been in the headlines, but what happened behind the scenes? According to the complaint, in March 2017, US-CERT – Homeland Security’s cyber experts – alerted Equifax and other companies about a critical security vulnerability in open-source software used to build Java web applications. The alert warned anyone using a vulnerable version of the software to update it immediately to a free patched version. It didn’t take long before the press reported that hackers had already started to exploit the vulnerability. Equifax’s security team got the US-CERT alert on March 9, 2017, and sent it to more than 400 employees with instructions that the staffers responsible for the affected software should patch it within 48 hours, as required by the company’s Patch Management Policy. Within a week, Equifax performed a scan intended to search for vulnerable forms of the software remaining on its network. But the scan Equifax conducted wasn’t up to the task, which ultimately proved devastating to consumers. The lawsuit alleges that Equifax didn’t detect the “open sesame” vulnerability in its system for months. How sensitive was the data stored on the ACIS portal? The hack took place in the portal where Equifax collected information about consumer disputes, including documentation uploaded by consumers. In addition, Equifax used that platform for consumer credit freezes, fraud alerts, and even requests for a free annual credit report. Thus, millions of consumers interacted with the ACIS portal every year. The
complaint outlines the specifics, but suffice it to say that for hackers looking for Social Security numbers, dates of birth, credit card numbers, expiration dates, and the like, the data on ACIS was a gold mine. According to Equifax’s forensic analysis, attackers were able to steal (among other things) approximately 147 million names and dates of birth, 145 million Social Security numbers, and 209,000 credit and debit card numbers and expiration dates. Considering the staggering breadth of this breach, you should assume that
your personal data has been compromised. We urge you to set up credit monitoring for yourself and file a claim with Equifax for their failure to protect your information. Visit
https://eligibility.equifaxbreachsettlement.com/en/eligibility to determine if your information, or the information of a minor in your household, was compromised and
ftc.gov/equifax (also available in
Spanish) for information about how to apply for compensation. The settlement requires Equifax to pay at least $300 million to a fund that will provide affected consumers with credit monitoring services, compensate people who bought credit or identity monitoring services from Equifax, and reimburse consumers for out-of-pocket expenses incurred as a result of the 2017 data breach. Equifax will add up to $125 million more to the fund if the initial payment isn’t enough to compensate consumers for their losses. Equifax also will pay $175 million to 48 states, the District of Columbia and Puerto Rico, and a $100 million civil penalty to the CFPB.