In one of the most expensive apologies that we’ve ever seen, Equifax will pay out up to $700 million to settle a collection of lawsuits that surfaced after a security breach in 2017 exposed social security numbers and other sensitive information of millions of people.
The settlement includes over $400 million going straight to consumers and another $100 million in penalties.
Some say that it’s too little, too late. “The settlement is a record-breaking fine in the US for a data mishap,” writes Wired. “Given the massive scope and scale of the Equifax breach, though, and compared with the $5 billion data mishandling fine the FTC levied against Facebook two weeks ago, the scale of the Equifax settlement struck many observers as insufficient.”
Let’s rewind. If you’re not familiar with the breach, Equifax admitted that sensitive consumer information was obtained through the clever work of hackers, who have still not been discovered. Social security and credit card numbers, home address, birth dates, and driver’s license numbers are among the information that was stolen from almost 150 million people.
Who gets paid? That’s tough to tell. From CNBC:
- Equifax will give consumers a range of options for monitoring their credit or making claims of fraud or data misuse, part of a $425 million restitution fund.
- But proving data loss or misuse will be exceedingly difficult, as the data stolen in the Equifax breach has never been found for sale on the dark web.
- Connecting a specific data breach to identity theft is already difficult, but without sales data from underground forums, it would be nearly impossible.
- But the FTC has said it will make the process as easy as possible for consumers, including letting victims of any breach that happened after the Equifax breach to apply for restitution funds.
The settlement includes free credit monitoring services and the potential for cash payments to affected consumers.
Equifax was also criticized for their response to the breach, including forced arbitration against customers and even selling their own identity protection services to those who were affected.