Alabama Attorney General Steve Marshall announced Monday that a coalition of 50 attorney generals have reached a $600 million settlement with Equifax regarding a massive 2017 data breach. In Alabama, approximately 2.3 million consumers, or about half the state, were affected and are eligible for compensation.
The attorneys general investigation discorded that Equifax’s failed to maintain a reasonable security system, which enabled the hackers to penetrate its systems. This exposed the data of 56 percent of American adults — the largest-ever breach of consumer data.
The attorneys general have secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, as well as extensive injunctive relief. This is the largest data breach enforcement action in national history.
“Equifax failed utterly in its responsibility to safeguard the information of consumers with due diligence, with consequences of untold harm by identity thefts that have occurred and may yet occur,” Marshall said. “This settlement provides important steps to compensate consumers and mitigate the damage from Equifax’s careless practices. Perhaps as significant is the message to other businesses that they will be held to account for maintaining a high standard of protection for their customers’ data. I am extremely proud of the commitment and hard work by the staff of my Consumer Interest Division, which was part of the multistate executive committee, in reaching this settlement for the benefit of Alabama consumers.”
Equifax gets paid by creditors to maintain a database on the credit history of almost every American. Lenders use this information to set credit scores and base lending decisions, interest rates charged, among other things off of the information that Equifax supplies to them. Some employers and landlords even use the credit scores to make employment and renting decisions.
Equifax announced that it has been breached on Sept. 7, 2017. The data breach affected more than 147 million consumers — nearly half of the U.S. population. The hackers stole Social Security numbers, names, dates of birth, addresses, credit card numbers and, in some cases, driver’s license numbers.
A coalition that grew to 50 attorneys general launched a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information.
The state attorney generals found that Equifax was aware of a critical vulnerability in its software but failed to fully patch its systems. Equifax also failed to replace software that monitored the breached network for suspicious activity. Equifax was so lax in its’ duties that the company did not even notice. This likely was the most damaging breach to occur to American families due to the nature of the data that is now in the hands of cybercriminals. Criminals are now in possession of all that data and could be using it for years to come.
When credit companies leak customers credit card information, they usually reissue the customer new numbers and largely absorb the fraudulent transactions costs, cybercriminals having such a rich data profile of your identity is a much greater risk to your digital safety. Having information including Social Security number, birth date, address, driver’s license and other personal information can empower criminals to commit full-fledged identity theft, as well as a takeover of a consumer’s existing digital accounts, such as your bank, brokerage or email.
Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million — with $300 million dedicated to consumer redress. If the $300 million is exhausted, the fund can increase by up to an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.
Equifax has agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including but not limited to making it easier for consumers to freeze and thaw their credit, making it easier for consumers to dispute inaccurate information in credit reports and requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed to strengthen its security practices going forward by reorganizing its data security team, minimizing its collection of sensitive data and the use of consumers’ Social Security numbers, performing regular security monitoring, logging and testing, employing improved access control and account management tools, reorganizing and segmenting its network and reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
Consumers who think they have been a victim of the Equifax breach can file a claim on the Equifax Settlement Breach online registry. To receive email updates regarding the launch of the Equifax Settlement Breach online registry, consumers can sign up at here. Consumers can also call 1-833-759-2982 for more information.
Marshall was appointed AG by former Gov. Robert Bentley. Marshall was elected to his own term as AG in the 2018 election.