Equifax Settles Mega-Breach Lawsuit for $1.38 BillionFederal Judge Gives Final Approval to Class Action Settlement Over 2017 Breach
A federal judge in Atlanta has given final approval to a settlement that resolves a class action lawsuit against credit bureau Equifax, which in 2017 suffered one of the largest data breaches in history.
See Also: The Power and Scale of XDR
The deal is essentially the same as the final version of a proposed agreement reached in July 2019 with the Federal Trade Commission. Consumers will get free credit monitoring, or if they already had that in place, up to $125 in a cash payment (see: Equifax Negotiates Potential $700 Million Breach Settlement).
But the settlement includes a $31 million cap for any such cash payments. It means that the more people who apply for a payment, the more the payment amounts will be proportionally lowered (see: Is the Equifax Settlement Good Enough?).
Still, Chief Judge Thomas W. Thrash Jr. writes that “this settlement is the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.” The minimum cost to Equifax will be $1.38 billion, which includes $1 billion in security upgrades, Thrash writes.
Information Security Failures
Equifax’s breach was caused by attackers taking advantage of unpatched Apache Struts software between mid-May and July of 2017. A patch was issued in March 2017, but Equifax failed to apply it.
Equifax used Apache Struts to run certain applications on legacy operating systems, according to a December 2018 report on the incident published by the U.S. House of Representative’s Committee on Oversight and Government Reform.
The vulnerability in Struts allowed attackers to gain access to the company’s automated consumer interview system, a custom-built, internet-facing consumer dispute portal developed in 1970s, the report says. From there, attackers pillaged 48 databases, running some 9,000 queries on unencrypted personally identifiable information.
"This settlement is the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.”
—Chief Judge Thomas W. Thrash Jr.
Equifax failed to catch such a large exfiltration of data because a security certificate on a traffic monitoring device had expired, the report says. The breach was immediately detected on July 29, 2017, when Equifax updated the security certificate.
Equifax's breach exposed data pertaining to 148 million individuals in the U.S., 15 million in the U.K. and 20,000 in Canada. None of the data has surfaced publicly, which security experts have said may be a sign that the attackers are tied to a nation-state.
The exposed information included names, addresses, email addresses, phone numbers, birth dates, driver’s license and passport numbers and financial data. Equifax’s breach led to a wave of outrage from both consumer and politicians and served as a wake-up call to the risks of the data breaches.
Enthusiasm for Claims
The settlement fund now negotiated as a result of the class action lawsuit against Equifax totals $380.5 million, which covers attorneys’ fees, administration and class benefits. If that runs out, Equifax may have to pay up to $125 million to satisfy claims for out-of-pocket expenses.
The deadline for applying for cash compensation is coming up quickly, on Jan. 22, and can be filed via the settlement website. Consumers can file for out-of-pocket expenses or time spent for their own efforts to mitigate the effects of the breach.
The settlement says that some consumers could receive up to $20,000 for out-of-pocket losses that are “fairly traceable to the breach,” but such requests require documentation.
Consumers can also apply for up to 20 hours of compensation “for time spent taking preventative measures or dealing with identity theft.” That pot of money is capped at $38 million. There is no documentation required for up to 10 hours.
All consumers are eligible for four years of credit monitoring provided by three credit bureaus, including Equifax, as well as six years of credit monitoring and identity protection services through Equifax. The settlement says Equifax’s offering is valued at $24.99 per month.
The offer of free credit monitoring through the same entity that lost the data in the first place has struck many as a cruel irony (see: Consumer Advocates Criticize Equifax Settlement Plan).
So far, class action claims for the settlement have been filed by more than 10 percent of the class, which is very high for those types of claims. Judge Thrash writes that the settlement website had been visited more than 130 million times as of Dec. 1, 2019, with 40 million of those representing “discrete visitors.”
Also, the claims administrator has received more than 15 million claims from verified class action members, including 3.3 million for credit monitoring.
In a separate legal measure, Equifax settled in July 2019 with the FTC, the Consumer Financial Protection Bureau and 50 U.S. states and territories.
Equifax agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, according to the FTC. It also agreed to pay $100 million to the CFPB in civil penalties, the agency said.