Credit reporting agency Equifax has paid the US State of Indiana $19.5 million (£15.6 million) to resolve claims after a data breach which exposed sensitive personal information.
Indiana’s attorney general said that around 56% of Americans across the country, including 3.9 million people in Indiana, had their personal data accessed and copied by hackers between May and June of 2017.
Hackers exploited an unpatched Apache Struts vulnerability to access the data, which included highly sensitive financial information, driver’s license numbers, and social security numbers.
The breach also revealed the credit card details of 209,000 US consumers, and around 182,000 others had other personally identifiable information accessed.
It wasn’t until June 2019, two years after the initial attack, that Equifax discovered the breach. Crucially, the company failed to notify its customers until close of trading six weeks later.
In addition to paying $19.5 million to Indiana, the terms of the settlement stipulate that Equifax must resolve any previous cybersecurity issues and take action to protect customers against future cyber attacks.
Equifax was previously fined £530k by the Information Commissioner Office (ICO) in September 2018 for failing to protect customers’ personal and financial data.
The company had been warned of potential cybersecurity vulnerabilities on its systems before the 2017 attack. The US Department for Homeland Security had alerted Equifax over vulnerabilities, but the company decided not to act on the information.
At the time the breach was revealed, the company set up a website to inform users if their data had been accessed.
- Edinburgh Tech Firm Looks to Support Disabled Shoppers During COVID-19
- Reddit Advertising Update to Target Political Ad Transparency
- New Facebook Features Set to Tackle Coronavirus Misinformation
Despite the two year period between the attacks and the six-week wait for the company to reveal the information, Chairman and Chief Executive Officer, Richard F. Smith, said that the incident was a “disappointing event for our company, and one that strikes at the heart of who we are and what we do”.
Smith apologised to consumers and business customers “for the concern and frustration this causes”.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” he commented.
“We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident. I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognise we must do more. And we will,” Smith added.
According to reports from Bloomberg at the time, three senior Equifax executives, including the CFO, president of US information solutions and president of workforce solutions, sold shares worth almost $1.8 million (£1.4 million) in the days following the discovery of the breach.