A federal judge in Atlanta has given final approval to a settlement that resolves a class action lawsuit against credit bureau Equifax, which in 2017 suffered one of the largest data breaches in history.
The final approval order
The deal is essentially the same as the final version of a proposed agreement reached in July 2019 with the Federal Trade Commission. Consumers will get free credit monitoring, or if they already had that in place, up to $125 in a cash payment (see: Equifax Negotiates Potential $700 Million Breach Settlement).
But the settlement includes a $31 million cap for any such cash payments. It means that the more people who apply for a payment, the more the payment amounts will be proportionally lowered (see: Is the Equifax Settlement Good Enough?).
Still, Chief Judge Thomas W. Thrash Jr. writes that “this settlement is the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.” The minimum cost to Equifax will be $1.38 billion, which includes $1 billion in security upgrades, Thrash writes.
Information Security Failures
Equifax’s breach was caused by attackers taking advantage of unpatched Apache Struts software between mid-May and July of 2017. A patch was issued in March 2017, but Equifax failed to apply it.
Equifax used Apache Struts to run certain applications on legacy operating systems, according to a December 2018 report on the incident published by the U.S. House of Representative’s Committee on Oversight and Government Reform.
The vulnerability in Struts allowed attackers to gain access to the company’s automated consumer interview system, a custom-built, internet-facing consumer dispute portal developed in 1970s, the report says. From there, attackers pillaged 48 databases, running some 9,000 queries on unencrypted personally identifiable information.
“This settlement is the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.”
—Chief Judge Thomas W. Thrash Jr.
Equifax failed to catch such a large exfiltration of data because a security certificate on a traffic monitoring device had expired, the report says. The breach was immediately detected on July 29, 2017, when Equifax updated the security certificate.
Equifax’s breach exposed data pertaining to 148 million individuals in the U.S., 15 million in the U.K. and 20,000 in Canada. None of the data has surfaced publicly, which security experts have said may be a sign that the attackers are tied to a nation-state.
The exposed information included names, addresses, email addresses, phone numbers, birth dates, driver’s license and passport numbers and financial data. Equifax’s breach led to a wave of outrage from both consumer and politicians and served as a wake-up call to the risks of the data breaches.