Equifax has agreed to pay up to $700 million (about £561 million) as part of a settlement with US regulators following its mammoth data breach in 2017.
The FTC (Federal Trade Commission) claimed that Equifax hadn’t taken reasonable steps to secure its systems, which led to the records of more than 147 million people being compromised.
The majority of the victims are based in the US, but the Telegraph believes that as many as 44 million people in the UK were affected through companies such as BT, Capital One and British Gas, which used Equifax’s services at the time of the incident.
How did the breach occur?
The breach occurred between May and July 2017, as cyber criminals exploited a remote code execution vulnerability in Apache Struts 2, an open-source framework for developing Java web apps.
Apache learned of the vulnerability two months earlier, in March 2017, and released a patch. However, Equifax failed to install it, leaving a known vulnerability on its systems for criminals to find and exploit.
Where will the money go?
At least $300 million will be used to pay for identity theft services and repay costs incurred by the victims. This includes:
- Free credit monitoring: Affected customers are entitled to at least three years of credit monitoring from all three major bureaus, including Equifax, Experian and Trans Union;
- Cash repayment: If affected customers don’t want to take advantage of the credit monitoring offers, they can opt for a $125 cash payment;
- Reimbursement: Equifax will cover any costs incurred remedying identity theft or misuse of personal information from incidents caused by the breach. Likewise, the organisation will repay any money spent on credit monitoring or credit reports. This is capped at 20 hours at $25 per hour, with total cash reimbursement capped at $20,000 per customer.
- Help with ongoing identity theft issues: Affected customers can claim up to seven years of “free assisted identity restoration services”, although specific details haven’t been disclosed.
Costs continue to spiral
The settlement is huge blow for Equifax, which has already spent $243 million responding to the incident.
However, a large part of that loss was offset by the organisation’s cyber insurance policy. Equifax announced that it maintained “$125 million of cybersecurity insurance coverage, above a $7.5 million deductible”, and, since announcing the breach, has “recorded insurance recoveries of $60.0 million and received payments of $50.0 million for costs incurred to date”.
This shows the major benefits of cyber insurance as well as the pitfalls. You must be able to demonstrate strong cyber security measures in order to maximise your pay-out, which Equifax didn’t do.
More significantly, insurance policies almost certainly won’t cover the costs of fines and settlements. This means Equifax is burdened with the full $700 million pay-out plus more than $100 million in recovery costs.
This demonstrates that adequate security measures provide the only truly effective defence against cyber crime. An insurance policy helps, but only if you avoid major mistakes that can escalate the costs associated with data breaches.