News Insights: Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement

OR: Equifax settlement with the FTC CFPB, and States to Pay $575 Million Related to 2017 Data Breach

NEWS INSIGHTS:

ISACA Board Director and Past Board Chair Rob Clyde, CISM:

“The record settlement Equifax will pay in the aftermath of the 2017 data breach underscores that it is incumbent upon enterprises to clearly understand where they are relative to their desired cyber maturity level. Organizations need to arrive at a clear assessment of where they stand, what their gaps are and how to put in place a roadmap for targeted improvement. In particular, enterprises that possess sensitive information about individuals must step up their game and become equipped to quickly identify and close the gaps related to their cyber maturity. Otherwise, enterprises run the risk not only of absorbing massive financial penalties, but face the daunting and long-term challenge of rebuilding their reputations with customers – reputations that can take years to build but only moments to destroy.”

Deepak Patel, security evangelist with PerimeterX:

“The Equifax breach of September 2017 was one of the largest data breaches with up to 145M users’ personal data compromised. We can be confident that a large number of the compromised users’ sensitive information from the Equifax breach is still actively in use in account takeover (ATO) attacks. Cybercriminals can combine data from different breaches – for example, name and address from one with the date of birth and password from another – to increase the success rate of credential stuffing. The Equifax data breach has key data like the last four digits of a social security number and date of birth.  These could be used to take full control of user accounts without their knowledge. The Equifax data breach was particularly harmful to any online business since it possibly involved every U.S. consumer and their sensitive data all in one massive breach.

For e-commerce, travel and financial verticals, and any business with online user accounts or rewards programs, it is imperative to deploy advanced bot management that can protect against Account Takeover attacks. When the Equifax and British Airways breaches happened in 2017, it seemed like regulators would let them off easy with a slap on the wrist. But the FTC and GDPR are imposing meaningful fines to hold these large corporations accountable for breaches involving sensitive user data. It is imperative that businesses quickly review their security protocols and consider additional safeguards before they too are both compromised and fined.”

Colin Bastable, CEO, Lucy Security:

“We need a consumer compensation fund, into which all of these fines are paid, for disbursement to long-abused US consumers. And maybe we could rein in the credit reporting industry – if they did not collect and sell our personal financial data, we would not be in this mess.”

Adam Laub, CMO, STEALTHbits Technologies:

“I’m far from an Equifax apologist, but the truth is it could have been anyone. It’s not an excuse, but rather the reality we live in. The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place. And it’s got to be from the ground up too. There’s no silver bullet. There’s no one thing that mitigates the exposure. A multi-layered, multi-faceted approach is critical to making the juice not worth the squeeze for bad actors looking to score quickly and easily.”