Equifax Data Breach Deemed “Preventable” by the FTC; Equifax Did Not Implement Basic Security Measures

To settle it’s 2017 data breach, Equifax has agreed to pay at least $575 million to the FTC, the Consumer Financial Protection Bureau and 48 states. They could pay up to $700 million based on claims.

Hackers stole the personal information including Social Security numbers of almost 148 million Americans from Equifax’s servers in a data breach in May to July 2017.

A December 2018 House Oversight Committee report called the breach “entirely preventable,” stating that Equifax didn’t take action to prevent it and wasn’t prepared to handle the breach.

Per the FTC Press Release:

The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees.

An investigation revealed hackers were able to exploit the ACIS vulnerability to gain entry to Equifax’s network, where they accessed an unsecured file that included administrative credentials stored in plain text.  Hackers were able to access the data because Equifax failed to implement basic security measures, according to the complaint.

This includes:

  • failing to implement a policy to ensure that security vulnerabilities were patched;
  • failing to segment its database servers to block access to other parts of the network once one database was breached,
  • failing to install robust intrusion detection protections for its legacy databases.

Despite its failure to implement basic security measures, Equifax’s privacy policy at the time stated that it limited access to consumers’ personal information and implemented “reasonable physical, technical and procedural safeguards” to protect consumer data.