It's been almost two years since Equifax revealed that a data breach compromised the personal information of more than 143 million Americans. The saga might finally be coming to a close, because the credit bureau is nearing a settlement with state and federal regulators that's expected to cost it between $650 million and $700 million, according to both The Wall Street Journal and The New York Times.
The NYT said most of the settlement would go to people affected by the data breach. It also said the deal included the Federal Trade Commission, Consumer Financial Protection Bureau, and at least 48 state attorney generals. Regulators will reportedly make Equifax "take measures aimed at protecting its data" via the settlement, which could be revealed as early as July 22, according to the NYT's report.
Details about the data breach frequently changed after its public disclosure. Equifax initially said in September 2017 that the Social Security Numbers of 143 million Americans were compromised. It raised that number to 145.5 million in October 2017, raised it again to 147.9 million in March 2018, and then said in May 2018 that another 56,000 people also had their driver's licenses and passports stolen.
We noted when the breach was revealed that most people didn't willingly provide Equifax with their personal information. The company gathers as much data about as many people as it can without ever informing them how much it knows, how it gathers that information, or how that data is secured. (Although the data breach would imply the answer to that last question is "not well.") This is solely on Equifax.
The company's lackadaisical approach to security was revealed shortly after the breach's disclosure. It turns out the information was compromised via a known vulnerability Equifax had ample time to fix, and in a separate incident, it secured an Argentinian web portal with the username/password combination of "admin/admin." Several of its social media employees also directed breach victims to a fake site.
As if that weren't bad enough, Equifax also waited several days to disclose the breach, during which time numerous executives sold some of their stock in the company. Those executives reportedly didn't know about the breach when they made those sales--although that would mean the chief financial officer, the head of U.S. information solutions, and head of workforce solutions were unbelievably ill-informed.
All those failures (technical, legal, ethical) have resulted in a $650 million to $700 million settlement. That might seem like a lot, but much like Facebook could easily weather a $5 billion settlement with the FTC, there's little chance of Equifax suffering much from this payout. Per its latest quarterly report, it actually estimated the settlement to cost up to $690 million and preemptively set that money aside.