[BreachExchange] Equifax Settles Mega-Breach Lawsuit for $1.38 Billion

Thu Jan 16 08:17:14 EST 2020

https://www.databreachtoday.com/equifax-settles-mega-breach-lawsuit-for-138-billion-a-13608

A federal judge in Atlanta has given final approval to a settlement
that resolves a class action lawsuit against credit bureau Equifax,
which in 2017 suffered one of the largest data breaches in history.

The final approval order

The deal is essentially the same as the final version of a proposed
agreement reached in July 2019 with the Federal Trade Commission.
Consumers will get free credit monitoring, or if they already had that
in place, up to $125 in a cash payment (see: Equifax Negotiates
Potential $700 Million Breach Settlement).

But the settlement includes a $31 million cap for any such cash
payments. It means that the more people who apply for a payment, the
more the payment amounts will be proportionally lowered (see: Is the
Equifax Settlement Good Enough?).

Still, Chief Judge Thomas W. Thrash Jr. writes that "this settlement
is the largest and most comprehensive recovery in a data breach case
in U.S. history by several orders of magnitude." The minimum cost to
Equifax will be $1.38 billion, which includes $1 billion in security
upgrades, Thrash writes.

Information Security Failures

Equifax's breach was caused by attackers taking advantage of unpatched
Apache Struts software between mid-May and July of 2017. A patch was
issued in March 2017, but Equifax failed to apply it.

Equifax used Apache Struts to run certain applications on legacy
operating systems, according to a December 2018 report on the incident
published by the U.S. House of Representative's Committee on Oversight
and Government Reform.

The vulnerability in Struts allowed attackers to gain access to the
company's automated consumer interview system, a custom-built,
internet-facing consumer dispute portal developed in 1970s, the report
says. From there, attackers pillaged 48 databases, running some 9,000
queries on unencrypted personally identifiable information.

"This settlement is the largest and most comprehensive recovery in a
data breach case in U.S. history by several orders of magnitude."
—Chief Judge Thomas W. Thrash Jr.

Equifax failed to catch such a large exfiltration of data because a
security certificate on a traffic monitoring device had expired, the
report says. The breach was immediately detected on July 29, 2017,
when Equifax updated the security certificate.

Equifax's breach exposed data pertaining to 148 million individuals in
the U.S., 15 million in the U.K. and 20,000 in Canada. None of the
data has surfaced publicly, which security experts have said may be a
sign that the attackers are tied to a nation-state.

The exposed information included names, addresses, email addresses,
phone numbers, birth dates, driver's license and passport numbers and
financial data. Equifax's breach led to a wave of outrage from both
consumer and politicians and served as a wake-up call to the risks of
the data breaches.

Enthusiasm for Claims

The settlement fund now negotiated as a result of the class action
lawsuit against Equifax totals $380.5 million, which covers attorneys'
fees, administration and class benefits. If that runs out, Equifax may
have to pay up to $125 million to satisfy claims for out-of-pocket
expenses.

The deadline for applying for cash compensation is coming up quickly,
on Jan. 22, and can be filed via the settlement website. Consumers can
file for out-of-pocket expenses or time spent for their own efforts to
mitigate the effects of the breach.

The settlement says that some consumers could receive up to $20,000
for out-of-pocket losses that are "fairly traceable to the breach,"
but such requests require documentation.

Consumers can also apply for up to 20 hours of compensation "for time
spent taking preventative measures or dealing with identity theft."
That pot of money is capped at $38 million. There is no documentation
required for up to 10 hours.

All consumers are eligible for four years of credit monitoring
provided by three credit bureaus, including Equifax, as well as six
years of credit monitoring and identity protection services through
Equifax. The settlement says Equifax's offering is valued at $24.99
per month.

The offer of free credit monitoring through the same entity that lost
the data in the first place has struck many as a cruel irony (see:
Consumer Advocates Criticize Equifax Settlement Plan).

So far, class action claims for the settlement have been filed by more
than 10 percent of the class, which is very high for those types of
claims. Judge Thrash writes that the settlement website had been
visited more than 130 million times as of Dec. 1, 2019, with 40
million of those representing "discrete visitors."

Also, the claims administrator has received more than 15 million
claims from verified class action members, including 3.3 million for
credit monitoring.

In a separate legal measure, Equifax settled in July 2019 with the
FTC, the Consumer Financial Protection Bureau and 50 U.S. states and
territories.

Equifax agreed to pay $175 million to 48 states, the District of
Columbia and Puerto Rico, according to the FTC. It also agreed to pay
$100 million to the CFPB in civil penalties, the agency said.