Equifax Settlement Teaches The Dos and Dont’s About Data Security

By: Nicole Kardell

It’s been a busy summer for the FTC and the federal agency is dominating the headlines. There is the $5 billion settlement with Facebook for failing to better protect user privacy, which was announced earlier this month. Then there is the multimillion dollar settlement with Google for failing to adequately protect children’s privacy. That was announced late last week. Today, the FTC announced a $575 million settlement with credit reporting company Equifax for failing to secure massive amounts of personal information stored on its network.

The Equifax settlement relates to a company data breach in 2017 in which some 147 million names and dates of birth, 145 million Social Security numbers, and 209,000 credit and debit card numbers were stolen by hackers. The hackers were able to access this sensitive data because Equifax did not fully execute a software patch after being alerted by Homeland Security’s cyber experts (US-CERT).

The data breach happened in spite of a company-wide “Patch Management Policy” that required staffers to patch affected software within 48 hours. That’s because the company didn’t alert all the necessary employees to install the patch. And it’s also because the company used an improperly configured automatic scanner that failed to detect vulnerable software after the patch was supposed to have been fully installed. As a result, hackers were able to access one of Equifax’ portals and then also gain access to other parts of the company’s network.

A list of failures that the FTC identified in its complaint against Equifax include:

• Equifax did not confirm employees followed through on the patching process;
• Equifax used an automated scan that wasn’t properly configured to check all the places that could be using vulnerable software;
• Equifax failed to segment its network to limit how much sensitive data an attacker could steal;
• Equifax stored admin credentials and passwords in unprotected plain-text files;
• Equifax failed to update security certificates that had expired 10 months earlier; and
• Equifax didn’t detect intrusions on “legacy” systems.

These shortcomings resulted in alleged violations of the FTC Act and the Gramm-Leach-Bliley Safeguards Rule, which applies to financial institutions (including credit reporting agencies as well as all other companies that are “significantly engaged” in providing financial products or services).

The FTC settlement requires Equifax to pay $300 million into a fund to provide impacted consumers with credit monitoring services and to compensate those who have already bought such services or incurred expenses as a result of the 2017 breach. Equifax will add up to $125 million to the fund as necessary. Further, the company will pay $175 million to 50 states and territories and $100 million to the CFPB. In addition to the FTC settlement, Equifax reached a staggering resolution to a related consumer class action in which the company pledges up to $2 billion for consumers impacted by the breach. Equifax’ failures seem almost breathtaking in this day and age, especially for a company whose business is consumer financial data and other sensitive information. But it’s not that Equifax didn’t address data security; it just didn’t go far enough or recently enough. Equifax had policies in place but the list of staffers who should have been made aware does not seem to have been refreshed. Equifax had a system to scan for vulnerabilities, but that system was ineffective.

FTC reporting on the settlement refers companies to its own guidance on data security, “Start with Security.” We recommend companies review agency guidance periodically and then review their own policies and procedures regularly. Equifax’ failures emphasize the importance of not resting on your IT laurels… ever…. Having policies and procedures in place for handling data security (and for handling privacy) must be dynamic, not static.