Equifax will pay $ 700 million for federal and state investigations following the seizure of a large number of customers' informationc In 2017. This is one of the the largest sanctions ever granted.
Equifax said the attackers had access to company files for 12 weeks. This data breach resulted in the capture of approximately 150 million customers' data, including social security numbers, birth dates, addresses, and certain driver's license numbers.
Federal Trade Commission (FTC) President Joe Simons said in a recent statement, “Companies that profit from personal information have an extra responsibility to protect and secure that data. Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Equifax will have to pay $ 300 million to customers affected by data breaches in addition to the penalties it will pay. Even if that amount is not enough, they may have to pay an additional $ 125 million.
After the data breach, Equifax was subjected to several investigations, as well as investigations by 48 state attorneys. It is alleged that after Equifax was warned in March 2017 of a critical security error (the Apache Struts vulnerability, CVE-2017-5638) in the Equifax Automated Consumer Interview System database (addressing questions from consumers about personal loans), it has not been patched. This vulnerability is thought to result in the capture of customers' data.
As part of the settlement, Equifax will pay a total of $ 290.5 million to state and federal regulatory agencies to develop the information security and technology program, as well as to pay attorneys' fees and expenses in the multi-district litigation.
Equifax is not the only company that is subject to criminal sanctions. In early July, the FTC fined Facebook $ 5 billion for privacy breaches following the Cambridge Analytica incident. The other two companies that hit security fines in July were Marriott ($ 123 million) and British Airways ($ 230 million).
With the developing technology, the importance of protecting personal data becomes more important. With legal sanctions, companies are expected to focus more on the security issue and keep their users' data safe.