According to the FTC announcement and order, the settlement will result in Equifax paying between $575 and $700 million to settle charges brought by the FTC. $380 million of that total will be assigned to a Consumer Restitution Fund and doled out directly to consumers.
Here’s how to get your cut:
- First, head to this settlement website to determine if your data was exposed. Users will have to enter their last name and last six digits of their social security number to confirm they were part of the breach.
- If you were one of the 147 million impacted Americans, you’ll need to either file a claim online or print this form and mail it in by January 22, 2020. You’ll be able to request either a one-time $125 payout, or 10 years of free credit reporting—assuming you want anything to do with a company that couldn’t protect your personal data in the first place.
- Note that you’ll need a special form if you were technically a minor at the time that the breach occurred (May 2017). Minors will be able to net 18 years of free credit reporting.
- Consumers may be able to get up to $20,000 if they can provide evidence that the leak of their financial data resulted in "fraud, identity theft, or other alleged misuse of your personal information fairly traceable to the data breach,” the settlement website states. You’ll need to provide a police report, IRS, or bank letter, and may be reimbursed to the tune of “$25 per hour for up to 20 hours” if you’ve spent any time trying to resolve identity theft damage.
According to a settlement FAQ, it could take several months for impacted users to see payouts. There’s additional detail over at the FTC settlement website. Users can also contact the Equifax Settlement Administrator at 1-833-759-2982 or by emailing info@EquifaxBreachSettlement.com.
The FTC notes that the entire scandal could have been easily avoided.
Equifax waited 40 days before even announcing the company had been hacked. Motherboard reporting revealed that the company’s IT administrators had known about the vulnerability for months before the hack occurred, yet didn’t apply basic patches for at-risk systems.
The vulnerability was simple and easy to exploit. An Equifax website and ACIS database that was supposed to be for internal use only wound up being publicly exposed to the broader internet. A simple forced browsing attack provided access to social security numbers, full names, birthdates, and partial addresses of millions of Americans.
"I've seen a lot of bad things, but not this bad,” the security researcher told Motherboard. "It should've been fixed the moment it was found. It would have taken them five minutes, they could've just taken the site down.”
When executives did find out about the threat, many decided to cash in on the knowledge. Former Equifax Chief Information Officer Jun Ying, for example, was just sentenced to four months in prison for insider trading on the news of the breach before it was formally announced. Equifax manager Sudhakar Reddy Bonthu also pleaded guilty to insider trading on the news.
Publicly, Equifax attempted to place the blame entirely at the feet of one employee, despite the fact that security researchers had discovered a wide variety of additional bugs and vulnerabilities that could have just as easily exposed sensitive user data.
According to the FTC, Equifax failed to implement a policy to ensure security vulnerabilities were patched, failed to segment its database services to block access to other parts of the network should it be breached, and failed to install “robust intrusion detection protections” for its legacy databases. Sensitive data, like Social Security numbers, were also stored in plain text.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said of the settlement. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
While a record payout, the FTC settlement still doesn’t match the scale of Equifax’s incompetence, or the potential harm done to users who may have had their identities stolen as a result of the breach, according to security experts like Brian Krebs.
“A company that truly offered to pay consumers anywhere near what their data is actually worth would probably wipe these digital dinosaurs from the face of the earth,” Krebs said.