Utah awarded $1.4 million as part of ‘largest data breach enforcement action in history’

Equifax Inc. offices in Atlanta, Georgia, July 21, 2012 | Associated Press file photo by Mike Stewart, St. George News

ST. GEORGE — The Utah Attorney General’s Office has announced its part in a sweeping settlement action against credit monitoring giant Equifax after a 2017 security breach left the data of nearly half of all Americans vulnerable.

Stock image by Anyaberkut/iStock/Getty Images Plus, St. George News

“This is the largest data breach enforcement action in history,” Utah Attorney General Sean Reyes said in a statement released Monday. Reyes was among the 50 attorneys general across the country who participated in the investigation.

Equifax has agreed to pay the states a total of $175 million, more than $1.4 million of which is earmarked for Utah.

The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of more than 145 million Americans. Equifax announced the breach Sept. 17, 2017, after the security breach went unnoticed for 76 days.

Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen.

The Federal Trade Commission says the settlement will require Equifax to spend up to $425 million helping consumers. The company must also provide up to 10 years of free credit monitoring to those who had their data exposed.

Further, Equifax will be required to strengthen its security practices going forward by reorganizing its data security team, minimizing its collection of sensitive data and performing regular security monitoring, among other requirements.

The breach as it unfolded

The massive breach was made possible by a flaw in a tool used by the company to design and build web applications called Apache Struts, according to a press release issued by Equifax in 2017.

Read more: Following data breach, attorney general’s office expresses concern regarding Equifax approach

Equifax admitted that it was aware of the security flaw a full two months before the company says hackers first gained accessed to the data. Through that flaw, hackers were able to access Social Security numbers, birth dates, addresses and some driver license numbers.

Even after discovering the data breach, Equifax admitted to waiting until it “observed additional suspicious activity” a day later to take the web application offline. Days later, the company reached out to Mandiant, a professional cybersecurity firm, to help the company assess what data had been compromised.

With Mandiant’s assistance, Equifax determined that a series of breaches had occurred over a period of more than two months, from May 13 through July 30.

Many security experts and the coalition of attorneys general found that the company should have moved faster in deploying a patch to address the security flaw. Equifax has also been criticized for waiting more than a month to alert its customers and shareholders about the hack, as security expert Brian Krebs said in an article posted on his website immediately after Equifax’s announcement.

“I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax,” he said.

Krebs said offering free credit monitoring services via its own service makes little sense since the breach took place in-house on the company’s network — the same network that would be responsible for the monitoring service. Additionally, he explained, it would give the company a chance to “hard-sell consumers to sign up for paid credit protection plans” when the free coverage expired.

Anyone affected by the breach will not see a penny of the money or any other benefits from the settlement unless they “do something about it,” Krebs said, adding that the financial impact on the company will be determined by how many of those affected submit claims and sign up for the credit monitoring services.

Consumers who are eligible for redress will be required to submit claims online or by mail. Consumers can obtain information about the settlement, check their eligibility and file a claim on the Equifax settlement online registry. The FTC provides detailed information about what consumers can expect from the settlement on its website.

Email: cblowers@stgnews.com

Twitter: @STGnews

Copyright St. George News, SaintGeorgeUtah.com LLC, 2019, all rights reserved.

Free News Delivery by Email

Would you like to have the day's news stories delivered right to your inbox every evening? Enter your email below to start!