Equifax’s failure to patch a known web application security flaw—that later proved to be the root cause of the its massive data breach in 2017—is $1.38 billion. Equifax has agreed to set aside a minimum of $380.5 million as breach compensation and spend another $1 billion on transforming its information security over the next five years.
The US District Court for the Northern District of Georgia granted final approval of a settlement arrived at last July between the Federal Trade Commission and Equifax. Personal data, including Social Security Numbers belonging to some 147 million US consumers was compromised in the breach. Equifax blamed the incident on a buggy component in the open-source Apache Struts framework for which a patch was available at the time of the breach.
Money from the $380.5 million fund will be used to pay for credit monitoring services and compensation of up to $20,000 to individuals who can show documented out-of-pocket expenses directly related to the breach. The court-approved settlement allows individuals to claim up to 20 hours—at $25 per hour—for any time they might have had to spend taking preventative measures to protect their data against fraud and misuse following the breach. Up to 10 of those hours can be self-certified and requires no documentation.
Equifax will also provide up to four years of free three-bureau credit monitoring and identify protection services to victims of the data breach. In addition, the company will provide another six years of its own credit monitoring and identity protection service for free. Victims who were legal minors at the time of the breach are eligible for a total of 18 years of free credit monitoring.
“This settlement is the largest and most comprehensive recovery in a data breach case in US history by several orders of magnitude,” District Judge Thomas Thrash, Jr. wrote. “The minimum cost to Equifax of the settlement is $1.38 billion and could be more, depending on the cost of complying with the injunctive relief,” and other measures, he wrote.
Rui Lopes, sales engineering and technical support director at Panda Security says the security breach suffered by Equifax in 2017 was one of the biggest data in history. The big question is whether it could have been prevented. “And the answer is simply ‘yes,'” Lopes says. “Equifax left the door open to cybercriminals by not updating an open-source web application development framework.”
The post Equifax data breach settlement set at $1.38 billion appeared first on Payments Cards & Mobile.