Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Equifax Settles With Massachusetts, Indiana Over 2017 Breach
Company Will Pay $38 Million to Settle 2 LawsuitsMassachusetts and Indiana have reached separate settlements with Equifax over the 2017 data breach that exposed the personal information of millions of residents of both states.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Massachusetts will receive $18 million to settle its claims, says Attorney General Maura Healey, while Indiana will receive $19.5 million as part of its settlement with the company, according to Attorney General Curtis Hill.
Equifax also agreed to make changes to its security policies to comply with laws in the two states.
Massachusetts and Indiana were the only two states not involved in the class action lawsuit brought by 48 states, the District of Columia and Puerto Rico, the U.S. Federal Trade Commission and the Consumer Financial Protection Bureau against Equifax over the data breach, which resulted in a settlement worth at least $575 million that was announced in July 2019.
In January, a federal judge in Atlanta approved a separate settlement between consumers affected by the breach and Equifax, which resulted in the company paying out $380.5 million to cover credit monitoring as well as Equifax promising to spend $1 billion on security improvements (see: Equifax Settles Mega-Breach Lawsuit for $1.38 Billion).
The 2017 Equifax breach exposed the personal information of over 145 million U.S. consumers as well as 15.2 million records of U.K. residents and data on 8,000 Canadians. At the heart of the breach was Equifax's failure to patch a vulnerability in the Apache Struts open source web application framework, according to numerous investigations.
State Settlements
After Equifax announced the data breach in September 2017, Healey, the Massachusetts attorney general, filed a lawsuit against the company, claiming it failed to protect the personal information of nearly 3 million state residents. The suit also alleged that the company failed to notify victims in a timely manner.
"Equifax had a duty to protect the private information of our consumers and it failed massively - leading to the worst data breach in history," Healey said.
The Massachusetts settlement, which was approved by a state judge on April 13, requires Equifax to take steps to strengthen its security practices and bring them into compliance with Massachusetts law, including implementing regular monitoring, identifying critical security updates, minimizing its collection of sensitive data, improving account management tools, and allowing third-party assessments of its data safeguards, according to the attorney general's office.
Hill, Indiana’s attorney general, noted that the breach affected about 3.9 million residents of that state. "We have worked diligently to hold Equifax accountable and achieve the best possible resolution," Hill said. "Equifax has agreed to correct its security deficiencies and properly safeguard consumers’ information in the future."
A spokesperson for Equifax could not be immediately reached for comment.
Indictments in Case
In February, federal prosecutors indicted four members of China's People's Liberation Army who allegedly oversaw the hacking of Equifax's network by first taking advantage of the Apache Struts vulnerability, which eventually allowed them to gain a foothold within the corporate network and steal more company credentials and consumer data (see: 4 in Chinese Army Charged With Breaching Equifax).
U.S. Attorney General William Barr noted that the Justice Department typically doesn't investigate and criminally charge members of other country's military or intelligence services, but in cases where intellectual property and citizens' private data is exposed, federal prosecutors will step in.