from the A-stolen-identity-is-worth-about-$5 dept.
Equifax to Pay at Least $650 Million in Largest Data-Breach Settlement Ever
The credit bureau Equifax will pay at least $650 million and potentially significantly more to end an array of state, federal and consumer claims over a data breach two years ago that exposed the sensitive information of more than 148 million people. The breach was one of the most potentially damaging in an ever-growing list of digital thefts.
The settlement, which was announced on Monday and still needs court approval, would be the largest ever paid by a company over a data breach. The deal requires Equifax to put a minimum of $380.5 million into a restitution fund for American consumers who file claims showing that they were financially harmed.
A portion of that money will pay for lawyers' fees, but at least $300 million must go to victims, according to settlement documents filed in federal court in Atlanta. If the initial cash is depleted, the company will add up to $125 million more to settle consumers' claims, bringing the total fund size to more than $500 million.
Also at: Ars Technica.
Previously:
Lawsuits Aim Billions in Fines at Equifax and Ad-Targeting Companies
The True Cost of a Data Breach
Equifax Admits 2.5 Million More Americans Were Affected by Cyber Theft
Equifax Data Breach Could Affect 143 Million Americans [Updated]
Related Stories
We had three Soylentils send in notice of a major breach at Equifax. The company has a web site specifically for this breach: https://www.equifaxsecurity2017.com/.
Equifax Data Breach Could Affect 143 Million Americans
Equifax, one of the big three US consumer credit reporting agencies, says that criminals exploited a web application vulnerability to gain access to "certain files":
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Is there a silver lining to this event?
Also at NYT, Ars Technica, and CNN.
Credit report company Equifax said Monday that an additional 2.5 million Americans may have been affected by the massive security breach of its systems, bringing the total to 145.5 million people who had their personal information accessed or stolen.
Equifax said the company it hired to investigate the breach, Mandiant, has concluded its investigation and plans to release the results "promptly." The company also said it would update its own notification for people who want to check if they were among those affected by Oct. 8.
The information stolen earlier this year included names, Social Security numbers, birth dates and addresses — the kind of information that could put people at significant risk for identity theft.
While Equifax previously said up to 100,000 Canadian citizens may have been affected, it said Monday that the completed review did not bear that out and it determined that the information of only about 8,000 Canadian consumers was involved.
Also at The New York Times, The Washington Post, Fortune and others.
Submitted via IRC for chromas
The true cost of a data breach
From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.
One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occurred, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.
Submitted via IRC for Bytram
Lawsuits Aim Billions in Fines at Equifax and Ad-Targeting Companies
Equifax, Experian and Oracle are among a slate of companies whose business is consumer information, that could soon face billions of dollars in fines for improper data handling.
Privacy International has filed complaints against seven corporations, consisting of data brokers (Acxiom and Oracle), companies that provide consumer profiling and targeting data for advertising purposes (Criteo, Tapad and Quantcast), and two credit-referencing agencies that collect sensitive financial data on roughly everyone in the U.S. as well as many in Europe and elsewhere (Equifax and Experian). The complaints have been lodged with data protection authorities in France, Ireland and the U.K. The group is asking for an investigation into their data-handling practices under the auspices of Europe's strict General Data Protection Regulation (GDPR).
The GDPR, which went into effect in May, gives regulators real teeth when it comes to enforcing privacy mandates, including issuing fines of up to 4 percent of an offending company's annual turnover. That would equal billions of dollars for Fortune 500 companies such as Equifax, which consumers know from the massive data breach last year.
Aside from the credit-reporting giants, the complaints target companies that, despite collecting and using or selling the data of millions of people, are not household names.
(Score: 3, Funny) by Anonymous Coward on Monday July 22 2019, @10:45PM (2 children)
I'm going to spend mine on hookers and blow.
(Score: 1) by khallow on Tuesday July 23 2019, @03:11AM
(Score: 3, Insightful) by stretch611 on Tuesday July 23 2019, @08:59AM
It will be sent to victims in the form of a coupon offering $2 off a year of equifax's credit monitoring service.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 1) by fustakrakich on Monday July 22 2019, @11:12PM (1 child)
Anyone placing bets on whether the breach is still running?
La politica e i criminali sono la stessa cosa..
(Score: 3, Touché) by stretch611 on Tuesday July 23 2019, @09:01AM
I'll bet my $2 that the original breach is no longer running.
However, I will bet the winnings of that bet that a new breach has replaced it and is active.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 3, Insightful) by DavePolaschek on Monday July 22 2019, @11:52PM (1 child)
The FTC intentionally kept the damages small enough to not kill Equifax. Cranking it up to 300 billion or so would be closer to a corporate death penalty. Only way to be sure.
(Score: 2, Insightful) by khallow on Tuesday July 23 2019, @03:09AM
(Score: 3, Insightful) by c0lo on Tuesday July 23 2019, @12:19AM (5 children)
$380.5M / 148M people < $2.4/person. Only the cost of "showing financial harm" far exceeds the restitution => fines are no longer a punishment, to act as reparations or as deterrent.
What we are seeing can be described as "the normalization of fines as cost of doing business".
Old satire [youtube.com] is long overtaken by the reality.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by PartTimeZombie on Tuesday July 23 2019, @12:30AM (4 children)
It is probably just your standard regulatory capture.
Nothing unusual here.
(Score: 2) by c0lo on Tuesday July 23 2019, @01:03AM (3 children)
Don't blame me, I didn't capture anything (grin)
Naming it "regulatory capture" doesn't take it outside the more general "corruption" phenomenon.
It's nasty what corruption does to society when it gets over a certain level (one of the reason I chose to emigrate).
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by PartTimeZombie on Tuesday July 23 2019, @01:15AM (2 children)
I promise to stop blaming you for this in future.
You're right, regulatory capture is just another example of corruption, but it is pretty common in western countries and just something we will have to live with, at least until the revolution comes. ;-)
(Score: 2) by c0lo on Tuesday July 23 2019, @01:43AM (1 child)
Good. 'cause anyone in my dungeon is there consensually (grin)
Used to somewhat work in the old days, on the lines of:
But I don't think is going to work as such today. Not against the actual captors anyway.
https://www.youtube.com/@ProfSteveKeen https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by PartTimeZombie on Tuesday July 23 2019, @02:14AM
Sadly I think you may be right.
(Score: 0) by Anonymous Coward on Tuesday July 23 2019, @12:43AM
a pay-for-credit-rating product.
(Score: 0) by Anonymous Coward on Tuesday July 23 2019, @07:48PM
I guess hiring music composition major Susan Mauldin to be Equifax's chief information security officer was a bad idea. Who could have guessed?