“Today’s announcement is not the end of our efforts to make sure consumers’ sensitive personal information is
safe and secure. The incident at Equifax underscores the evolving cyber security threats confronting both private
and government computer systems and actions they must take to shield the personal information of consumers.
Too much is at stake for the financial security of the American people to make these protections anything less than
a top priority. For consumers impacted by the Equifax breach, today’s settlement will make available up to $425
million for time and money they spent to protect themselves from potential threats of identity theft or addressing
incidents of identity theft as a result of the breach. We encourage consumers impacted by the breach to submit
their claims in order to receive free credit monitoring or cash reimbursements,” said Consumer Financial Protection
Bureau Director Kathleen L. Kraninger.
Company’s Security Failures
The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security
vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data.
Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48
hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible
employees.
In fact, Equifax did not discover that its ACIS database was unpatched until July 2017, when its security team
detected suspicious traffic on its network. A company investigation revealed that multiple hackers were able to
exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that
included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to
vast amounts of consumers’ personally identifiable information and to operate undetected on Equifax’s network
for months.
The hackers targeted Social Security numbers, dates of birth, and other sensitive information, mostly from
consumers who had purchased products from Equifax such as credit scores, credit monitoring, or identity theft
prevention services. For example, hackers stole at least 147 million names and dates of birth, 145.5 million Social
Security numbers, and 209,000 payment card numbers and expiration dates.
Hackers were able to access a staggering amount of data because Equifax failed to implement basic security
measures, according to the complaint. This includes failing to implement a policy to ensure that security
vulnerabilities were patched; failing to segment its database servers to block access to other parts of the network
once one database was breached; and failing to install robust intrusion detection protections for its legacy
databases. In addition, the FTC also alleges that Equifax stored network credentials and passwords, as well as
Social Security numbers and other sensitive consumer information, in plain text.
Despite its failure to implement basic security measures, Equifax’s privacy policy at the time stated that it limited
access to consumers’ personal information and implemented “reasonable physical, technical and procedural
safeguards” to protect consumer data.
The FTC alleges that Equifax violated the FTC Act’s prohibition against unfair and deceptive practices and the
Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and
maintain a comprehensive information security program to protect the security, confidentiality, and integrity of
customer information.
Settlement Requirements
In addition to the monetary relief to consumers, Equifax is also required to implement a comprehensive
information security program requiring the company to take several measures including:
Designating an employee to oversee the information security program;