Reports: Equifax Will Pay $700 Million for 2017 Data Breach

(Image credit: madamF / Shutterstock)

It's been almost two years since Equifax revealed that a data breach compromised the personal information of more than 143 million Americans. The saga might finally be coming to a close, because the credit bureau is nearing a settlement with state and federal regulators that's expected to cost it between $650 million and $700 million, according to both The Wall Street Journal and The New York Times.

The NYT said most of the settlement would go to people affected by the data breach. It also said the deal included the Federal Trade Commission, Consumer Financial Protection Bureau, and at least 48 state attorney generals. Regulators will reportedly make Equifax "take measures aimed at protecting its data" via the settlement, which could be revealed as early as July 22, according to the NYT's report.

Details about the data breach frequently changed after its public disclosure. Equifax initially said in September 2017 that the Social Security Numbers of 143 million Americans were compromised. It raised that number to 145.5 million in October 2017, raised it again to 147.9 million in March 2018, and then said in May 2018 that another 56,000 people also had their driver's licenses and passports stolen.

We noted when the breach was revealed that most people didn't willingly provide Equifax with their personal information. The company gathers as much data about as many people as it can without ever informing them how much it knows, how it gathers that information, or how that data is secured. (Although the data breach would imply the answer to that last question is "not well.") This is solely on Equifax.

The company's lackadaisical approach to security was revealed shortly after the breach's disclosure. It turns out the information was compromised via a known vulnerability Equifax had ample time to fix, and in a separate incident, it secured an Argentinian web portal with the username/password combination of "admin/admin." Several of its social media employees also directed breach victims to a fake site

As if that weren't bad enough, Equifax also waited several days to disclose the breach, during which time numerous executives sold some of their stock in the company.  Those executives reportedly didn't know about the breach when they made those sales--although that would mean the chief financial officer, the head of U.S. information solutions, and head of workforce solutions were unbelievably ill-informed.

All those failures (technical, legal, ethical) have resulted in a $650 million to $700 million settlement. That might seem like a lot, but much like Facebook could easily weather a $5 billion settlement with the FTC, there's little chance of Equifax suffering much from this payout. Per its latest quarterly report, it actually estimated the settlement to cost up to $690 million and preemptively set that money aside.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • USAFRet
    "more than 143 million Americans "
    "a settlement with state and federal regulators ..... between $650 million and $700 million"
    "most of the settlement would go to people affected by the data breach "

    We get tree fiddy each!

    That's not worth my time to deposit the check in the bank.

    How about a real fix. As in...what are these companies doing with all this personal data?
  • bit_user
    These guys are data brokers, plain and simple. Like all other data brokers, they should be subject to strict regulation about what information they can collect, maintain, how it can be used, and how people can see and contest the data collected on them.

    It won't happen, though. If we could ever fix campaign finance reform, I doubt such regulation would prove so intractable.
  • AllanGH
    That settlement should actually be in the (to the point of several tens of) billions.

    $700M is simply not a disincentive for corporate bad actors anymore.
  • USAFRet
    "143 million Americans"
    This does not count kids and non-working spouses, with no 'credit report'.
    However, those people are attached to someone with data held by equifax.

    So, basically every single person in this country.
    Tens of billions, and some actual jail time.
    This is not the first breach like this. They are apparently not learning.

    Or rather...they are learning. Learning that there are no real consequences.
  • AllanGH
    USAFRet said:
    Learning that there are no real consequences.

    Actually, fines of this nature should be based upon a percentage of gross revenues....let's start at 15% and work our way-up.
  • AllanGH
    In fact.....I've been thinking about this sort of thing for quite a number of years, now:

    Let's say that you have committed one of the more extreme moving violations in California, and it's your first offense...
    VC 22348B - Speeding Over 100 MPH Prohibited, first offense = $500.00 fine

    That's BEFORE court costs, and various other financial penalties are added to the base fine, mind you; and, for some of the lower-order violations, the base fine is the least of your worries (according to some sources, a $35.00 base fine can result in a final assessment against you of $380.00). But, let's focus on the base fine, for the time being, while keeping in mind that it's a LOT worse at the cashier's window.

    So, the median income for a full-time worker, in the United States, is $43,317.00 per year, and we'll say that's what you make.

    That means that the $500.00 fine would be 1.1542812291% of your income for the year; and that hurts.

    Now, the guy who makes $500,000.00 won't even miss the 1/1000th of his income for the same offense; so, why aren't we fining the guy who makes $500,000.00 per year the same percentage of HIS income?

    Losing $5,771.41 has the same proportionate impact upon that person's finances and, thus, carries a similar disuassive affect on his future behaviour. $8,657.12 for the second offense, and $11,542.81 for the third....OUCH!

    How about the person who drags-down several million dollars per year?

    IMHO, it has long been my opinion that we should be requiring people to appear in court with a copy of their most recent 1040 filing, to have their fines assessed in a manner that impacts every infractor in the same manner. I bet you'd see a lot less "A-hole" driving out of the BMWs, Mercedes', and Jags on the road, if we did.

    Move this idea into the realm of corporate criminality. Compile a schedule of fines which are percentages of GROSS corporate revenues, and hammer the ish out of corporate criminals with financial penalties that ACTUALLY HURT them.

    I'd be willing to put money on corporations "suddenly" growing a conscience, and regulating their behaviour, instead of treating fines as merely a 'cost of doing business'; and it's long past the time when we should have started doing this.

    Anyway....I'm going to shut-up, now.
  • USAFRet
    And the other side of that is:
    Equal punishment for equal crimes.
    $500 = $500

    I believe Finland has a sliding scale like what you refer to.
  • AllanGH
    And, yet, equal dollars assessed result in disparate impact--usually in favor of the obscenely rich.

    Unfortunately, such people are so well-placed that I'm probably chasing rainbows. It's likely a near-impossibility to get well-reasoned legislation passed that will improve life for everyone.
  • TCA_ChinChin
    If CEOs and management get all the credit and bonuses for doing well, they alone are responsible for the downfalls as well. CEOs and management need to take responsibility and personally take the fine numbers. 690 Million being payed by Equifax just means the 690 million dollars worth of employee benefits, full time jobs, and incentives are cut for your average Equifax worker while the upper crust walks off with a 100 million dollar retirement bonus and finds easy management jobs at another irresponsible fortune 500 company.
  • AllanGH
    Which is a good argument for setting aside the prima facie presumption of "good faith", and holding the principal officers criminally liable for the corporate conduct, and assess fines and prison time accordingly--up to and including the seizure of personal assets and real property.