Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement

Jul 22, 2019 · 159 comments
Doug Pearson (Mountain View, CA)
"Equifax will pay about $650 million" --- "a 2017 data breach that exposed sensitive information on more than 147 million consumers" ... "Almost half the settlement -- $300 million [will go to] American consumers" In other words, 147 million American consumers will get $300 million, or about $2 each. How is that fair to American consumers?
Dejah (Williamsburg, VA)
My data was breached at Equifax. I have already spent numerous hours dealing with this breach. If I recovered 1/147,000,000 of $650,000,000 that would be a WHOPPING... $4. WOW, US courts... THANK YOU SO MUCH!!!! I'm overwhelmed!
David Potenziani (Durham, NC)
There should be a death penalty for corporations that break the law in such a cavalier fashion. Perhaps a fine of 10 times the peak worth of the company for the year of the commission of the crime. Corporations should not be immortal, they should pay the ultimate business price. While we are in the fantasy land of appropriate punishment, let’s convict the people who allowed the breach to happen and put the guilty behind bars. That may encourage others to improve their protection of our data.
Matthew Ratzloff (New York, NY)
Breaches like this will happen again and again so long as the impact to the bottom line is inconsequential. These decisions are weighed as risk calculations: does the potential negative financial and brand outcomes cost less than investing in proper security protocols and engineering practices? For a company like Equifax that sells access to our private data as its main product, they are especially susceptible to this line of thinking. They don't even have to worry about users abandoning them, since no one asked us and we don't have a choice. Only when the financial impact is so devastating that it derails a company's growth trajectory for years, and is consistently applied for each breach with increasing severity, will the risk be accounted for properly. This settlement does very little toward that end.
Stewart (new jersey)
This is a pathetic sum. 650 million is nothing to them.
GJA (Sydney)
Four bucks each, not even accounting for the lawyers' fees. Worth it!
redpill (ny)
Government should ban the use of immutable private information for authentication purposes thus making such data useless in committing identity fraud. "How to Make Private Information Completely Useless for Committing Identity Fraud” https://link.medium.com/1f8JxHtvnY
music observer (nj)
This fine is ridiculously low, in the end Equifax may end up paying very little, that 650 millions is only if they end up having to pay out like 300 million plus to where customers can actually show the amount of fraud, the cost of the fraud + paying to clean it up. If in the end very few people were hurt, Equifax may end up getting more than 300 million of this back, the rest going to the lawyers. My problem with this is it isn't much of a deterrent, if few people have actual fraud they can prove with this, actual costs, then equifax may basically be walking away with paying the lawyers 300+ million...and the derrent value will be low..Among other things, Equifax can write off the lawyer costs for the plaintiff as a business expense, so they won't even be paying 300+ million. There should have been a massive fine as well, one that few companies can ignore, if you save pennies on not having proper security and a world class IT organization, but rather on antiquated systems with poor processes and staffed by 3rd rate talent you will think twice if you know you face that kind of penalty.
Will N (Los Angeles)
@music observer $4.42 per victim. I'm sure that's far less then Equifax makes per year for each of those people. Why do some people end up in jail and bankruptcy over parking tickets and fines, while others seem to have a guaranteed cap of pennies o the dollar for outrageous conduct that harms millions, and is repeated over and over again?
Rick Weiss (Los Altos)
We need more “eat your own dog food” type laws in the US.... If there’s a database of personal info, then all employees (including execs and board) should have their info in the database. If a company makes a food product, all execs (and board) should be required to eat it (regularly). If a company is responsible for delivering water to city residents, then all execs (and board) should be required to drink samples from various points throughout the city, regularly. Etc etc
JTC65 (Easton PA)
The executives in change at the time of breach should be held accountable through jail and extremely high fines. their neglect and disrespect caused the breech. This industry should be more regulated and audited.No mercy.
Rick Weiss (Los Altos)
Or we could just force them to leak their execs’ personal information. But seriously, one way to curtail future leaks is to make sure that their databases contain the personal information of everyone who has access (to the databases) or is responsible for security (all the way up through the board of directors).
Sneeral (NJ)
This is a totally inadequate settlement. It works out to less than $5 for each person who had their sensitive information compromised. Facebook was recently fined $5 billion for betraying their users privacy and violating multiple consent decrees and even that amount was not sufficient. These sanctions may sound like a lot of money but for massive corporations they are easily shrugged off as the cost of doing business. There is no real incentive to make meaningful change.
kvetchingoy (SF)
"But there have been no major changes to the federal laws covering what information credit bureaus can collect and what steps they must take to safeguard it." 'Can't fix stupid'? huh, Walden. Looks like we (all of us) didn't even try. This pretty much says it all. Expect it to happen again.
WeAreWeary (West Coast)
These sorts of data breaches are directly 100% due to lazy, sloppy, inexperienced, or nonexistent IT personnel. IT departments are shredded because "they just don't contribute anything to the bottom line" according to mindlessly stupid executives whose entire life is centered around shareholder value, and then these things happen over and over and over. Ask the people at Sony Studios, who laid off their entire experienced IT staff and brought in cheap young inexperienced labor to take care of things. Because, really, what do those IT people do besides replace defective keyboards and mice? Any high school kid can do that, right? The only way this will stop is if the feds gird their loins and pass legislation that says that a data breach that exposes customers' data to theft will be punished by fines of $100 per exposed record. Not "up to $100", but $100 per record. Under those rules, this data breach and theft would have cost Equifax $14.7 billion. A fine that size would only have to be levied just once, and every corporation in America would suddenly have their come-to-Jesus moment about data security. As long as there is no real punishment (what proportion, exactly, is $650 million of Equifax's annual income? Minuscule!), these breaches will continue. The only thing these executives understand is pushing down the bottom line and stock price, so the only way to fix this is to make it really, really expensive to NOT secure customer data.
kenzo (sf)
It would have cost them that much to harden and protect the data before this breach. So they really didn't lose. They took the good chance of NOT spending the money by simply declining to invest in the protections, and taking the risk they would be breached and then sued. A good bet, they just got unlucky with it. Ethically and morally they don't care the slightest about people's data, it is simply all a financial equation.
Pete (Hawaii)
The level of complicity between government and corporate interest is mind boggling. Who legally authorized a corporation to oversee the worthiness of my credit habits? Who authorized the executive staff to make millions on the sale of stock prior to the release of information regarding the LOSS of individual identifying credit identification information? When will the personnel be held accountable for the malfeasance of their actions to inadequately safeguard the credit records that they took control of without legal governmental authorization? Which governmental agency inadequately supervised the use and distribution of personal credit records of the citizens of these United States and where is the accountability for this failure to regulate? This breech exposed millions of SS numbers and drivers license numbers to scammers, how effective will the distribution to the owners of $4.40 be in deterring the three non governmental corporations from doing the same thing again? Is there any plan on the part of any governmental agency to take control of these private corporations for the public benefit? What actions will the government take to regulate the compensation and the actions of the incompetent managers of these private firms for the public that has been exposed in such a flagrant manner? Is accountability a concept that will disappear in the same fashion that privacy has seemed to be eliminated as a resonable expectation of individual rights?
kvetchingoy (SF)
Clearly, this settlement is disgusting. But we're all at fault. This happened two years ago and no new laws have been enacted to protect our data and hold people accountable. 148 million people were exposed. How many called up their congresspeople and demanded new laws? This affected half the country (of all partisan persuasions) and...nothing. It's easy to hope the courts provide just punishment and oversight. A lot more time consuming when the onus is on us to demand change. Sure, we're outraged. Just not enough to do something about it.
SXM (Newtown)
Equifax escapes punishment, pays $4 per person fine and no jail time. Fixed it.
Comp (MD)
$650M is Bupkes. Start holding corporate feet to the fire.
Leanne (Maryland)
The link to the breach settlement site is blocked by a security threat
friend for life (USA)
Shame on these people in the US justice system that sold out, abandoning America's people, our collective ethics and morals to the inept banking industry.
kvetchingoy (SF)
@friend for life Shame on us, as citizens, for not demanding change by our leaders. If 148 million people called their reps and senators to express their disgust, stuff would get done.
DRS (Boston MA)
Forty-five percent of the population's Social Security and driver's license numbers were exposed and the fine Equifax will pay amounts to $4.40 per person. That amount is equal to the cost of a cafe latte - that is the value of our privacy. And, that is just for the personal data Equifax was bound to protect. There is more to consider... 148 million people's social security and driver's license information was combined with debt/credit data which provides socio-economic information but we don't know by whom and how this information will be used to affect all of us. And, U.S courts have allowed this criminality to be brushed under a rug by Equifax.
Ngie (Seattle, WA)
@DRS yup... that’s about the cost of our privacy to Facebook too. Doesn’t it feel great knowing how undervalued we are as individuals -_-?
Bob (Cut and Shoot, TX)
Twice now I have had my files breached online and received notice that because that happened I was now "protected" by Equifax, among others. I now receive a monthly report regarding my credit report from Equifax. Somehow I don't feel so safe.
Linda (New Jersey)
Another company that collects, stores, and sells access to our information is LexisNexis. Yet we do not have a say in what is collected and most times don't even know it is being done. Several years ago a company was using LexisNexis to vet me. LexisNexis had a fraudulent address for me which had its basis in thieves stealing my identify years previously. While I gave the company vetting me my correct address, I did not pass the screen because of the fake address LexisNexis was carrying. So my question is, why is LexisNexis not required to give consumers copies of their personal andfinancial records just as the credit reporting companies are?
Dejah (Williamsburg, VA)
@Linda I nearly lost my auto insurance last year because of incorrect information in Lexis. Fortunately, I was able to correct the error and NOT lose my insurance. But it was a maze of anxiety and misery for 24 hours trying to figure out something that I have previously not known existed. These companies have tendrils into our lives and exert a level of control we aren't even aware of until they derail us. If you're able to wade through the muck and mess, it's one thing. Woe betide the people who are NOT able to untangle the messes they create when they have the wrong information!
tnbreilly (2702re)
has anyone done an analysis of the actual damages that the breach has caused otherwise we can not make a judgement on the significance of the monetary value of the fine. fair or unfair.
Whatever (NH)
Unbelievable. Facebook mishandles <1% of voluntarily handed-over customer data and is fined $5B by FTC (rightly so). Equifax loses ALL (far more important) data that we are required by law to hand over, and gets fined $650M. Way to go!
Upstate Teacher (Upstate NY)
The court should not approve this deal. Equifax is putting what amounts to $2.59 for each of the 147 million people whose data was exposed into a restitution fund. Only those who prove they were financially harmed will get anything. And they have to prove it was because of the Equifax breach specifically. My data was exposed through this breach, through the Target breach, and through at least one other security breach. If my identity is stolen, how can I prove it was because of Equifax rather than one of the others? Mark Begor, was hired last year at an annual salary and bonus of up to 4.5 million plus stock and options worth $17 million, according to The New York Times article announcing his hiring. And executives who resigned or retired after the breach left with tens of millions more. This settlement is a minuscule amount that really isn’t going to serve to deter Equifax or any other company from placing profits before people. Make it hurt. Each one of us should get lifetime credit monitoring. Anything we payed out for credit monitoring should be reimbursed. Any financial losses should be covered. And everyone whose private information was exposed should be paid $1,000. Until companies really feel the consequences, they won’t take this seriously.
Dejah (Williamsburg, VA)
@Upstate Teacher You know, you don't have to suffer any "harm" to have the breach cause you significant misery or take significant time out of your life. The data breach has cost me solidly ten hours to make sure I HAVEN'T suffered any harm. Just monitoring my data monthly for the first year to make sure that I DIDN'T suffer any adverse consequences took at least 10 hours out of my life. THAT is a harm.
Nat (NYC)
There is a lot of indignation expressed in the comments that the settlement is equivalent to about $4 or $5 per affected person. What is overlooked, of course, in this rush to judgment, is that many affected people whose data was breached will have ended up suffering no damages at all, while others may be able to point to hundreds or thousands of dollars in damages. In other words, while it may be tempting to assign average damages of $5 per person (which would be a preposterously low figure if it also assumed that average damages were uniformly catastrophic), one should pause to reflect that $5 may, in fact, be a vast overstatement in those cases were only nominal damage (or less) was suffered.
@Nat How could $5 be an overstatement? Impossible to be vast overstatement. Just me having to read this and other articles to figure out whether I was affected should be compensated by more than $5. JMHO
DRS (Boston MA)
@Nat has the defense rested for the plaintiff?
Viv (.)
@Nat Thanks Equifax PR!
Richard (NYC)
If only the outrage at our corporate overlords in these comments were directed at elected officials, the right wing regime would go down in flames. But not enough people have the wits to grasp the connection. Instead, they are distracted and frightened by lies about immigrants, people of color, and (gasp) “socialism”
DeepThud (Texas)
Mick Mulvaney worked to defund the Consumer Financial Protection Bureau before going to the White House. Once again, the lobbyists get what they paid for.
Xoxarle (Tampa)
Big fine. Cool. Who’s going to jail?
wil (vermont)
@Xoxarle - I completely agree. This is pocket change for corporate crooks. Nothing will change until a few of the well heeled and highly compensated CEOs who allow this to happen go to jail.
Easy Goer (Louisiana)
Outstanding, only it is not near enough money. Their fine is less than 1 billion dollars? That's a joke.
Dan Kravitz (Harpswell, ME)
Wow! That's just over four bucks a person. Pocket change for me and far less than that for Equifax. Dan Kravitz
Wizened (San Francisco, CA)
10 years of monitoring? They deserve a LIFETIME of monitoring. Considering that an identity thief was able to change the birth date on my credit report (how often do people change their birth dates???) Equifax needs to be replaced by a new bureau.
Blue in Green (Atlanta)
Settlement: $650 million, less plaintiff attorney fees of $214.5 million. I can hear the champaign popping from my house.
apparatchick (Kennesaw GA)
Fines don't mean a thing to the CEOs and boards of these huge companies. They write them off. Until there are laws that make these offenses criminal, these companies won't change their ways. Putting people in jail for these offenses will go a long way to curbing corporate greed.
Bob (Michigan)
And just how are you supposed to know: 1) whether or not your information was involved?, and 2) what the financial consequences were? If your info is out there couldn't that be exploited at some time going forward? Does Equifax have any obligation to contact all 147 million individuals and let them know that their info was breached? This sounds like a very shoddy settlement to me.
Mariah2 (New york, NY)
Millions and millions to the lawyers, and just over $4 to each Equifax customer? What we need is a law that allows us to opt-out from the money grabbers that can't keep safe the data they should not have in the first place.
BeBe (Washington DC)
@Mariah2 The refund amounts are not per capita for the 147 million but, rather, reimbursements to those who had out of pocket expenses in response to the breach, for example the purchase of credit monitoring or costs associated with responding to ID theft. You may want to consider the terms of the settlement. See https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement for the precise terms of the settlement
suzrush (Los Angeles)
I don't remember the part where I gave my consent to Equifax to get and store my information to begin with. To me, that is foundational to this debacle. How is this private company, or the two others who do it, entitled to my information?
AN (Austin, TX)
@suzrush You did not authorize Equifax because you do not have any relationship with them. But you did authorize your bank to provide information to their business partners. The banks have agreed to share your information with each other (using Equifax and other credit bureaus) for their interests in telling good customers apart from bad customers. That's why Equifax has your information. You are not their customer or client, you are their product.
Viv (.)
@AN Except you are their customer, because you are the one who is legally responsible for the accuracy of your credit report. You are obligated to check your credit report with them. You are obligated to contact them to hand over information to contradict their false information. Not your bank. Not your government. Not anyone. On the other side, they are not legally obligated to correct false information on your report in a timely manner. The onus is solely on you to prove them wrong, not vice versa.
Justin (Seattle)
This corporation's only significant asset is our information, and they've proven incapable of protecting that information. They should be compelled immediately to shred every piece of our information in their possession--to render it unreadable. Then they should be barred from collecting such information in the future. Why should they ever again be entrusted with our most sensitive information? The problem is that then we'll be left with only two credit reporting agencies (Experian and Transunion), giving us even less leverage.
hen3ry (Westchester, NY)
In the meantime what is being done to protect us online period? We're told to purchase all these products but how much do they protect us when, at the other end, our information can be compromised? The data breaches described were not the fault of consumers. They are the fault of various corporations, many of whom are forcing us to go online to buy things we used to buy in the store. In my opinion our government needs to do a much better job protecting consumers from the failures of companies when it comes to data breaches, identity theft, etc. If I am forced to go online to pay my bills in the future what sort of assurances do I get that my private information will not be stolen despite any precautions I take? I think our politicians owe us, we the people who pay their salaries, a better answer than caveat emptor.
Richard Schumacher (The Benighted States of America)
Axios notes that the proposed $700 million fine amounts to about 0.2% (two thousandths) of Equifax's annual revenue, and that the European Union could have fined them ten to 20 times that much (2% to 4% of revenue). https://www.axios.com/equifax-data-breach-settlement-details-0d1a189b-8753-4110-9191-9d3b6756a7cf.html
stevelaudig (internet)
@Richard Schumacher. My math says about $4.40/customer, 650 divided by 147 but my math have been wrong before. Barely an Americano cuppa 'a joe.
Chat Cannelle (California)
Excerpt from the article: "But there have been no major changes to the federal laws covering what information credit bureaus can collect and what steps they must take to safeguard it." For all the white-hot bipartisan outrage and condemnation, Congress did nothing to protect us and give us control over our own data. They hold these televised hearings where they are excoriating the company, and nothing comes of it. The laws need to be amended so that people can decide which information of theirs can be collected or deleted, to whom we grant data collection abilities, the data collection companies have to assume all the burden of clearing up frauds, including all payments. In the meantime, we have to deal with the headaches caused by someone else.
Alice Clark (Winnetka, IL)
It seems that credit reporting businesses are focused more on "growing the business" and "monetizing the data," than on making sure their data is accurate and secure. Credit bureaus today seem oriented to serving financial institutions, not consumers. Their system for evaluating credit is slanted toward people who have debt, i.e., provide fees to lenders. How else to explain why my credit score languishes although I've never taken on much debt? I have paid all credit card bills in full every month for my entire life. I have no mortgage. The credit agencies tell me that my credit score would be higher if I had more debt, i.e., generated more fees for the financial industry. Perhaps the function of assembling and evaluating credit data belongs in an independent government agency.
jkw (nyc)
@Alice Clark "Credit bureaus today seem oriented to serving financial institutions, not consumers" was it ever different?
Viv (.)
@jkw They advertise their services to consumers and businesses as being the evaluators of people who pay their debts. So yes, people who pay their debts should have a good credit score. In reality, the people who have the best credit score are people with high credit limits and occasionally late payments on their credit cards. Those are profitable customers to them, so of course they get the highest score. And historically, yes it was different. Equifax originated in Georgia and was solely meant to be a merchant to merchant business - evaluate the creditworthiness of one company for other companies. Consumer were never supposed to be involved. A credit score was never meant to deny somebody a job or a place to live.
toom (somewhere)
The real question is whether those who have lost will ever be completely recompensed. I can only hope that class action lawsuits will help those who have suffered financial, mental and emotional damage.
Viv (.)
@toom The only way to really compensate people for the damage is to enact laws that severely diminish the power credit agencies have over people's lives. Why should a private corporation be entitled to know what your job is, how much you make, what your monthly bills are, and even what medical conditions you have? And all this without you ever even consenting to be their client. Why? So you can receive their stamp of approval and be granted basic things like a place to live and eligibility for a job (regardless of what your duties are). There's another name for this, and it's the social credit system in China. If you accuse somebody of committing a crime or misdeed against you, you report it to the police and/or sue them yourself. You don't report it to a private corporation who has no legal power to actually right the wrong, but merely keep a tally of all the accusations levied against people, and share those (often unfounded) allegations as facts with everyone from landlords to employers. The power credit agencies have is insane. Worst of all, people forget that before even basic regulations were enacted, credit agencies literally had people followed to see what they did during the day. The straw that broke the camel's back on those practices is that a senator found out he was being followed as he went into strip clubs and frequented mistresses. What this had to do with his ability to pay bills on time is something that was never answered.
Paul (Toronto)
This really isn't a fine, it's a reserve to pay out those affected by the breach - oh, ya and hundreds of millions to the lawyers. Bless them, the lawyers even remembered the plaintiffs this time. I wish my traffic tickets worked like this. $250 fine for running a red light that is allocated to a fund that repairs my vehicle from damage done running red lights. Sigh. Government by and for corporations.
Jason Druzgal (Charlottesville, VA)
So less than $5 per record breached? That’s insulting to the 148 million people affected. Our government has the power to protect consumer data and chooses not to do so. A similar breach of healthcare data would expose a hospital to up to $100,000 of liability per record breached. That’s the penalty set in the national HIPAA laws. And hospitals take that possibility seriously because they have much less cash on hand than Experian. This penalty is the sort of slap on the wrist that gets built into Experian’s budget. Feels a lot like the “penalties” assessed to drug companies for bad behavior.
@Jason Druzgal "Our government has the power to protect consumer data and chooses not to do so." let me correct that : Republicans choose not to protect consumers and consumer data. period.
David Doney (I.O.U.S.A.)
Senator Warren's investigation into the incident is a great read for corporate personnel interested in protecting their companies and customers. https://www.warren.senate.gov/oversight/reports/warren-unveils-new-investigative-report-uncovering-equifaxs-failure-to-protect-americans-personal-data
Viv (.)
@David Doney Warren's report doesn't address the central issue that these private corporations basically have the power of government agencies and yet aren't treated or accountable as such. There is literally no reason a private corporation should determine whether you are allowed to rent an apartment or have a job.
New World (NYC)
$4.00 per person. It’s like a slice of pizza and a soda. Sad.
Matt (Seattle, WA)
By my math, that's less than $5 per affected person. Not a whole lot...
Dave T. (The California Desert)
This is yet another reason why people are enraged about so many things. The fine levied against Equifax is nothing. It's a rounding error. In a decent world instead of a theocratic oligarchy, Equifax would be out of business and its executives in jail for insider trading and wire fraud.
Austin Ouellette (Denver, CO)
Equifax’s reported assets exceed $7.2 Billion. That’s reported assets. That’s not including the (likely) billions hiding in various tax shelters and corporate shells around the world. So let’s assume Equifax’s real net assets are somewhere around $9 Billion. This settlement represents less than 8% of their total assets. That’s like me mishandling every single identity of every person in the state of Colorado, then the DA fining me $1,200 and sending me on my way while chuckling and saying a good old fashioned “boys will be boys.” It’s a slap on the wrist. It SOUNDS like a lot of money to average people who don’t regularly vacation on superyachts where private chefs serve burgers made of rare meat on buns covered with 24k gold leaf. But to the billionaire class, $700 Million is a drop in the bucket especially to avoid the potential of jail time. You think they’d have agreed to that fine if it ACTUALLY meant something significant in the form of a penalty? Lol Nah. Trump’s DOJ will NEVER actually punish their fellow rich people. Just gotta put on a show and a dance for the uneducated American people who are more concerned with avoiding falling off the edge of a cliff while getting a perfect Instagram shot than they are with saving their country from tyrants/oligarchs.
@Austin Ouellette dont forget that the DOJ wouldn't be trumps had not every GOP senator confirmed barr despite the writing on the wall. ... just like they confirmed all the other "best people" including dozens of unqualified judges and cabinet members ; price, flynn, pruitt, perry, carson, etc....
Matt (Brooklyn)
This is absolutely pitiful. I and millions of other Americans have to go through the rest of our lives with our security numbers at risk of being used and all we get is 10 years of credit monitoring? Reimbursement up to $20,000 for fraudulent activity so essentially a net zero. They should be fining this company to bankruptcy, CEOs in prison along with those that cashed out before the information was revealed. At the very least, make them poor like the rest of us miserable souls. Why is our Justice Department so bad punishing multi-billion dollar companies? Talk about a scratch in their bottom line.
Ilya Shlyakhter (Cambridge, MA)
“Equifax also agreed to provide up to 10 years of free credit monitoring” — to use it, you have to entrust all your data to Equifax! Their C.E.O. didn’t even know if they encrypt their data when asked by Congress. I want to use their monitoring service, but how can I trust them? They had the money to hire top-notch IT, and clearly didn’t.
Blue in Green (Atlanta)
@Ilya Shlyakhter “Equifax also agreed to provide up to 10 years of free credit monitoring” — to use it, you have to entrust all your data to Equifax! Equifax collects your data whether you like it or not. They can and do collect it without your consent, and there's nothing you can do about it.
Princess Pea (CA)
Equifax should have met the same end as Arthur Andersen.
Nate (Seattle)
This is sad. There's nothing consumers can do about working with this inept company, our data is sent to them whether we like it or not. Government should have stepped in, but they have failed us. Equifax should no longer be in business.
Rich Murphy (Palm City)
Just a cost of doing business.
WR (Viet Nam)
One need look no further than the helplessness of Americans to control their private information and prevent corporate credit bureaus from selling it at profit, to understand that the so-called "government" is classical fascism.
Kat (Austin, TX)
Facebook users voluntarily give Facebook personal information - likes, dislikes, photos, etc - nothing that can be used to steal an identity - and "The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information" (nyt July 12,2019). Equifax collects and stores personal information - SSNs, Financial account numbers, drivers license numbers - all data needed to steal identities - without anyone's permission, was criminally negligent securing the data leading to a data breach impacting 148 million and they get a $650m fine? Unbelievable.
Michael (Asheville, NC)
This fine is a joke. 148 million (affected people) times 40 (years) times 100 (cost per year for credit protection because of leak) = 500 trillion dollar cost to consumers. Break em up and never let them do business again.
In deed (Lower 48)
Four dollars a head when caught selling out the sacred privacy of the livestock that never belonged to you. Then back to making money off them. Life is good when you are king.
Tom (NJ)
With the Republican party's Fraudster-in-Chief Donald J. Trump as a U.S. president, a conman by his own lawyer Mike Cohen who said that Trump is a con man, fraud in America is an epidemic of political monstrous scale.
Village Idiot (Sonoma)
Hmmmm. $650 million to compensate 148 million people. Comes to about $4.39 apiece. Big Whoop.
Klem (Rochester nh)
When do I get my $1.48?
Paul Wortman (Providence)
WOW! We'll each get $4.39 to cover our losses!
Pillai (St.Louis, MO)
Wow. Can't wait to get that 4 bucks from Equifax - or is it 2 bucks after all the lawyer fees? - for all my information they got and sold, and leaked out without my permission. Despicable.
Clyde (Pittsburgh)
"Settlements" are a complete scam in our justice system. They don't create any new law, so they don't help the next poor sucker who gets taken advantage of by a company. They let the malefactors buy their way out, let the law firms make millions -- and the consumers then need to "prove" that they were harmed? Thanks, but no thanks.
Richard Cohen (South Bend Indiana)
unless there is jail time for these CEOs or whomever is the top dog in the company this will happen again. All day everyday. These fines are calculated into the business plans .Big profits are still made and if not the companies get a government bailout. Put these white collar criminals in JAIL!
kdk (Portland, Or)
What's most concerning about this is the relative lack of concern that the majority of people seem to have. I only know a handful of people who went to the effort of freezing their credit, or signing up for monitoring after the breach. My understanding is this can come back to bite me in decades when I apply for social security. How is 10 years of free monitoring adequate? I spent hours and hours of time sorting out what to do to protect myself after this initially became public knowledge. Why can't I be reimbursed for that time as part of the settlement? It was a major pain. I agree, a truly just decision would be to dissolve the company and all assets go to those whose data was breached. It's sickening that this is somehow supposed to be adequate.
Mark In PS (Palm Springs)
The settlement is microscopic in comparison to the scope of the breach. With a minimum of $300 million in a restitution fund that works out to roughly $2 per victim. But wait! There's more! Apparently the bulk of the restitution is earmarked for those who paid for credit protection. In other words, if you did not pay for protection you are out of luck. If you did purchase protection then their insurance company will pay what they were obliged to pay anyway. Is there any way this can be seen as anything other than complete victory for the criminal?
Hardbop50 (Ohio)
The sad part is that financial compensation does little to give back the security and privacy of those affected. Nothing compensates people for being a major crime victim. It boggles the mind to think of those breeches that companies have been able to keep the lid on. The internet will never be secure. It's time to find a way of doing business that involves a more strategic use old-fashioned paper and digits.
Konrad Gelbke (Bozeman)
Equifax gets off too easy: less than five bucks per customer whose data have been compromised! The damage the company did was MUCH larger.
Anthony (Seattle)
Breaking up the credit reporting bureaus and replacing them with an entity that’s accountable to the public should be low hanging fruit for an engaged Congress. Hopefully, they’d revise the manner in which credit is calculated as well; it’s incredibly difficult for the average consumer to fix they’re credit if something goes wrong. Maybe Elizabeth Warren has some ideas.
Blue in Green (Atlanta)
Richard Smith, the CEO of Equifax, retired from the credit reporting bureau with a pay day worth as much as $90 million—or roughly 63 cents for every customer whose data was potentially exposed in its recent security breach. The settlement is no justice. Smith should return every cent, and pay a fine.
Blue in Green (Atlanta)
@Blue in Green BTW, your lost identity is lost forever. There is no way to get a new one. Social Security does not issue more than one: ___ - __ - ____ The breach happened because new software was not installed by Equifax IT. This was nothing short of criminal.
NRoad (Northport)
The fine seems unreasonably low when you consider it amounts to less than $4.00 per person whose entire personal and financial circumstances were put at risk by the negligence of Equifax.
MC (Charlotte)
Of course they didn't get punished after hurting people. The people they hurt didn't even sign on or opt in, they just collect your info and score it and resell it to people who use it to decide how much you'll pay for interest and whether or not they should hire you. At least you signed onto Facebook- you get the service of a communication tool in exchange for your info. But you never gave Equifax any permission to own and sell your financial data. And what's more, you have to pay them to access it or even protect it. It's criminal. I'd love to see who the Board of Directors is pals with in DC.
sarajane (Atlanta)
Watch out for other ways this personal information can be used. A friend just had a potential scam which seemed more credible because they had her social security number. Basically they were accusing her of some fraud and asking for money. Probably Equifax is on the alert for people trying to open up fraudulent new accounts, so the scammers are using other ways to use these stolen social security numbers.
William Fang (Alhambra, CA)
The money is coming from the stockholders, so what do the executives care? Financial settlement just means businesses continue to view everything, including human lives, as the cost of doing business. If we wish to actually modify behaviors, either actual human beings have to pay or go to jail or the corporation has to shut down. At the same time reduce barriers to new market entrants.
hcw 3 (western New York state)
This data breach isn't the individuals' problem. It's a problem for the industry itself. If we don't accept the premise that it's our responsibility to prove our 'worthiness' to be the banks' customers, then they might admit that they have to fix their own problems with their 'credit checking' system. Simply, the banking industry needs a database of information about me, in order to do their business and sell me their products. Thus is born the credit reporting industry. Banks pay Equifax and others to compile info about people. It's the banking industry's ill-conceived system, yet they have the public convinced that it's the individual's responsibility to protect his/her 'personal information', and they have us convinced that it's up to us to prove to the bank our 'credit-worthiness'. The data breach threat is to the industry itself. It's their bad business model. If this data source that the banks have developed is 'undependable', then they can't sell their products. If they want to do business with me, they must find a reliable source of information about me. This problem they have with their business model, is not my responsibility, and actually, I can't fix it. Its theirs to fix! Perhaps we simply need to publish our personal information en masse, to make it valueless!
Jay (Mercer Island)
This is the equivalent of "I'm freezing your Netflix account for a whole week and you have to go to bed a half hour early with no phone".
Jacquie (Iowa)
Why were the executives of Equifax not held accountable? Also what about Experian who also leaked confidential information on Americans and of course Facebook and others. Congress needs to hold them accountable sooner rather than later.
Jonathan Butcher (Los Angeles)
$300 million allocated to the victims and there are 140 million victims? Let's simplify this restitution: 140 million new millionaires. Done. Unfortunately, the reality is that the "victim" money will end up in a trust fund that will ensure Equifax pays less in taxes, and the top 1% will continue as the 1%. Attorneys get a nice payday as well. Yay America.
I never gave them authorization to collect my data. Yet, they have it. I got a notification of a potential data breach and froze my account. But why do they know so much about me in the first place? We need an opt-in system for these big brothers. The executives who made out like bandits weren't even dealt with. No wonder people are fed up with bureaucracies like this one.
Niche (Vancouver)
Eh, routine cost of doing business for a multi billion dollar business in an industry with just 1 or 2 competitors. Securing data is way more expensive and harder to do than just paying a $650M fine.
K Cummings (Portland, Oregon)
Years ago Equifax sent to me someone else's full credit report. Her name was similar to mine and it came to my correct address. It contained every detail including her SSN and account numbers. It took days for me to reach anyone who seemed to be alarmed by this and then it was only a low level supervisor at Equifax who showed concerned. Because such an error at the very basis of their business model was breached, it's no surprise that they have been 'caught' in this one.
Joe Sabin (Florida)
Equifax lost my data to a data breach, which included vital information to steal my identity and cause me potential financial ruin. For that, they get fined about $4 for my data. Part of the settlement should be constant lifetime monitoring of my credit, insurance to cover any losses I and others might sustain. This is not a settlement, this is a gigantic gift to a corporation that has been ruining the lives of Americans for generations. That's an absurd headline.
Rich Murphy (Palm City)
The settlement should require an opt in before they get anyone’s data
A. Stanton (Dallas, TX)
Let's see now: 650 million dollars divided among 148 million people equals $4.39 give or take the fraction left after the decimal point, not counting the ludicrous sum that will be siphoned off by the lawyers. So where do I go to pick up my buck and a half?
Ed Watters (San Francisco)
This is how it starts: with much fanfare, “the largest fine ever”, with no mention of how puny the fine is relative to the wealth of the company. This how it ends: buried in the business section, “judge orders steep reduction in fine”.
Peter (Colorado)
It’s not enough, particularly after the company deducts the settlement cost. The fine should be several billion dollars, including clawbacks of multiple years of compensation from senior executives at the time. This was an egregious violation by a industry leader that essentially runs a monopoly and did as little as they could to ensure the data safety of 150 million Americans. It’s high time a stiff and unmistakable message be sent to corporate America that doing as little as you can to protect our identity, while you monetize that information is unacceptable and will be punished. If approved, the senior execs at this company will be toasting each other at a tax deductible wine and steak dinner that evening !
Aristotle Gluteus Maximus (Louisiana)
My credit reporting file has been locked. or frozen, for many years, more than a decade. Apparently I was not affected by the compromise of data. I'm not going to get $4.
Momo (Berkeley)
My bank account was hacked because of the Equifax breach. Although the bank caught it before I lost any money from my accounts, it took me a full two weeks of calling and writing to various agencies and talking to people before I felt somewhat safe again. 5 dollars doesn't even begin to cover the time and effort that went into fixing the problem Equifax caused. And of course, my private information will never be "private" again. This settlement is laughable.
hs (Philadelphia)
Read accompanying article on per hour compensation.
Corey (Pelham, NY)
The proposed fine is laughably inadequate for the crimes and gross negligence of Equifax. They failed to fix a known defect, allowed unauthorized entry for many months, and when they determined that a breach had occurred, callously waited three weeks to notify individuals. The court has an opportunity here to fix a fine in the billions of dollars, which should put every company storing such confidential information on notice that future data breaches will be very costly. Congress should allow Americans to opt out of having their data stored by Equifax or any other credit agency.
Andy (San Francisco)
That doesn’t sound like nearly enough. Their only job is to protect our data - if you’re a working-age adult you literally have no choice but to trust them with sensitive personal information. They clearly shouldn’t be allowed to remain in business.
pb (calif)
The lawyers will get most of it. People who were hurt will get nothing. Politicians will get PAC contributions. Same old scenario from the corporate world.
Mark In PS (Palm Springs)
So this company, through criminal negligence, settles for less than $5 per victim and is allowed to continue to administer and profit from vast stores of sensitive data? It is a vivid illustration of how justice for Corporate America works as compared to its application to the average citizen. I am certain they will be a useful case study for the Democrats in the upcoming campaign.
me (world)
After attorney's fees, only $300 million to victims, roughly $2 each. But they may be paying $100 or more for credit protection services as a result of Equifax's bungling. Fine should be at least $3 billion to victims, roughly $20 each.
Dave (Poway, CA)
"Largest Data-Breach Settlement Ever" Chicken feed!! About $4 per victim. About 3 months of revenue. The senior executives who were negligent "retire". No one goes to jail. No new regulatory controls on the the industry. Pathetic!!!
Robert W. (Albany, NY)
@Dave Gee. Guess I'll be visiting Starbuck's with my haul from this settlement. My data is out there on the dark web. Probably forever. Thanks for nothing.
SSimmons (Salt Lake City, Utah)
Approx. a whopping $4 per person affected (and many were charged more than that to have EF freeze their credit). What an insult
Frustrated American (California)
@SSimmons $2 after legal fees. How is this a deterrent? How can any court think this is appropriate restitution for the stress of our financial information made available to criminal parties?
Mr. Mark (California)
Largest ever? Big deal. It works out to less than $5 per person whose data was breached. The Times' use of "largest ever" is biased in favor of Equifax. It makes it seem like we should be happy. The fine should be $100 per person. That would cause some real changes to be made.
Adam (Connecticut)
nice: $4/p.p. such a deal.
Randall (Portland, OR)
Equifax posted $3.4B in revenue, just in 2018. This is not a "punishment" in any real sense of the word.
Lily (Maine)
The link to "what to do if you were affected" works, but the further link to Equifax's site to see if your name is on the list does not work.
Maggie (U.S.A.)
@Lily Small wonder why. Anyone who has ever had any dealing with Equifax knows it is a black hole where nothing works for the consumer. Because it has never been held accountable over the past 60 years and still isn't.
dt (New York)
$500m/148m victims =$3.38 per victim, if victims get 100% of the fines they are awarded. This is justice in 2019 America, land of the plutocrat.
Danny (Cologne, Germany)
This is ridiculous. Who pays these fines? Shareholders. Who commits these crimes? Primarily management. Until there is actual accountability (ie, prison sentences), these fines are regarded as the cost of doing business and acceptable, since the malefactors don't pay the price. We see this in the financial industry and tech industry in general. I'd bet a dime to a dollar that if Mark Zuckerberg were sentenced to 6 months in prison with the threat of 10 more years, Facebook's privacy issues would disappear. That, or he'd go back to prison. The point is that without individual responsibility, there is no incentive to do the right thing, and every incentive to do whatever it takes to increase profit, regardless of the consequences to others.
Maui (Brooklyn)
Two words: not enough
artenough (miami)
wow. $4 per person. what was the cost in time etc people spent dealing with this. not a slap on the wrist, a slight brushing with a feather
pakrin (New Mexico)
Not enough! a terrible company
Aristotle Gluteus Maximus (Louisiana)
The US Social Security Administration uses Equifax to confirm the identity of benefit applicants. If an applicant has frozen or put a lock on their credit account it is impossible to apply for Social Security benefits online. A person cannot apply by mail. They have to do it online or in person at the Social Security office. If a person calls Equifax to clear up any difficulties or unlock their credit reporting they are connected to a call center in India staffed with people who barely speak heavily accented English. That's all fine and dandy if Hindu is your primary language but most Americans will have a difficult time having a conversation. All this just to apply for Social Security benefits. The US government has created an intimate dependency with a private company to provide its legally mandated services to the American people.
Mark In PS (Palm Springs)
@Aristotle Gluteus Maximus So much for outsourcing to the free market. This really illustrates the range of problems that arise from the government contracting out critical services in the name of efficiency and thrift. When delegating such services to profit-making entities we get neither quality, value or security.
Anonymous (The New World)
These three credit unions should not have the monopolistic power that they have, period. They have ruined millions of lives thru this hack and cull far too much information from consumers. What they do with it - sell it - is appalling. They should be broken up or taken over by a neutral governmental agency that is nonprofit, period.
Doug Karo (Durham, NH)
I guess I fail to see how this is punishment for the company: getting credit for costs the company has chosen to incur or must incur to satisfy solid damage claims from victims of its behavior and costs the company has chosen to incur to keep its other customers. Are we agreeing that the company would have chosen not to pay damage claims and not to incur costs to keep their customers? Perhaps the punishment is that part that the company must pay in big fees to the successful lawyers?
Almost Can’t Take It Anymore (Southern California)
I worked for a demographic company in the 1980s. This is when TRW sold their data division. At that time census data was enhanced and then crudely matched with credit data by zip code. As the power of computers increased and cost less, the capabilities increased to matching to Zip 4 and census block. Now it can be done on an individual basis without the census, using all of our personal financial and purchasing data. The horse ran out of this barn a long time ago and no one paid any attention.
Almost Can’t Take It Anymore (Southern California)
Clarification: TRW sold their credit reporting division to Equifax.
D (Toronto)
Last fall when I froze my Equifax credit report (as well as other agencies), within a week my credit score dropped from 802 to 762. Nothing else has changed and no reason was given for this drop in my credit score. My previous score stayed the same for over 10 years. Makes me wonder.
Viv (.)
@D That's because there is no legit reason. Your choice to freeze your credit report is a signal to them that you're not interested in taking on any more debt products, or getting a different job where a credit check is mandatory. This makes you a bad customer, and hence the reason your score dropped. If you had signed up for credit cards you don't need, missed a payment or remortgaged your house for no reason, your score would have gone up. As a Canadian, you're not eligible for any settlement (even though Canadian customers were affected) because the Canadian government did not pursue any action against Equifax.
Mike L (NY)
They had one job and one job only: to secure consumers’ personal information so that third parties could check a consumers credit rating. They failed miserably. As a result they should not even be in business anymore. I didn’t pick them to hold my information, did you? Then why are they even still in business?
McDouche (Florida)
@Mike L And their "free credit monitoring" ends after only two years. So data thieves know that all they need to do is sit on the stolen data for two years, then sell it. And then they had the audacity to automatically enroll customers in paid-for credit monitoring by one of their subsidiaries -- essentially Equifax getting paid forceably by its own victims. But it's good to see Equifax was punished a whopping $6 for every person for which data was stolen. That should teach them... right...?
Leo (Queens)
The credit bureau's are the most backward business models I have ever heard of, proving just how corrupt our government is. Instead of them earning our business by providing privacy security, we have to earn their business by making sure our credit score is as good as it possibly is. Call them and ask them and ask them for a free credit report, see how much junk they try to sell you to protect the data you never allowed them to have. We need change and I suspect the corruption of companies like Equinox can be a great platform for presidency in 2020, it effect every American.
joe Hall (estes park, co)
ALL of those credit companies need to be investigated immediately also those companies have a huge $ incentive to lower your score and often has the state help hurt the consumer.
Objectively Subjective (Utopia's Shadow)
I never asked Equifax to spy on my life, collect my data, and sell it. And yet it has, with the government’s blessing. And then it blew it and allowed my data to become a public commodity. Why wasn’t this fine fatal? Why is Equifax still in business? Nobody is protecting us. Nobody cares. And even the press, the “voice of the people,” treats this piffling fine as some dramatic action, rather than a beard over the fact that corporation and the wealthy control our government. Did the execs still get their bonuses? How much is the CEO making this year? We don’t know because that isn’t considered “relevant” by reporters. Burn it down. Burn it all down. Corruption from top to bottom.
Rich (NY)
So what does this translate to - the average consumer whose credit was breached gets $3 or $4? The same consumers who may now be paying over $100 annually for credit protection services, now that their personal information has been breached. And there are plenty of people in that category. It's reprehensible that not a single senior executive is facing charges for the "corporate incompetence". This wasn't just shareholders who were hurt as was the case in the early 2000s (Enron, etc), but rather consumers who had no idea their personal data was so vulnerable and subject to theft. Consumers have no control over this and no ability to opt out of the process, and now don't have much recourse apparently either. Unless you consider a few bucks to be ample compensation. If we're going to have any deterrent against similar breaches in the future, the government should be going after the senior executives who were in charge of the company.
Evangelist For Reality (New York City)
So that “penalty” equates to $4.39 per person. Wow, that’s some penalty. And those execs who sold their stock before the news broke don’t have to disgorge profits? Wow, that’s some penalty.
Harvey (Northfield, MN)
@Evangelist For Reality Actually, it amounts to about $2 per person. If you re-read the article, it states that after the lawyers get their cut, only $300 million is expected to paid out to victims. Lawyers are the only 'winners' in this crime.
Geoff (Atlanta)
As one of the millions who had personal information stolen in Equifax breach, I don't expect a dime from any of the settlement. It took a long time but did receive a small check not so long ago from Bank of America settlement. With Equifax breach we were provided credit monitoring service which ended in a year to be replaced by another credit monitoring service by another credit agency. Will take a very good investigative reporter to unravel all the complexities of how Equifax breach will ultimately play out and who will receive largess of settlement. Suspect whoever gets larger slices of settlement pie, will somehow manage to waste a large part of it on administrative costs within their organizations.
Observer (Washington, D.C.)
A tiny fine. Each victim gets what, a dollar at most? After the lawyers take their half. The company needs to be dissolved and its assets distributed to its victims.
Harvey (Northfield, MN)
@Observer What assets? The only asset they have is information that is private to the millions of people they've spied on without asking any of us if that is OK.
Nat (NYC)
@Observer If the company were dissolved, the proceeds of any liquidated assets would go first to the company's creditors. Not much left over for customers.
Viv (.)
@Harvey The assets they have is the billions in revenue from subscription services - banks, employers, landlords, governments, etc. all pay Equifax billions in fees for their baseless morality ratings.
Wally (Pismo Beach CA)
Given the business this company is in and their terribly lax and irresponsible framework as mass data custodians, this is the classic slap on wrist. They aren’t the only company that provides these services and aren’t really needed at all.
Concerned for the Future (Corpus Christi, Texas)
A Consumer agency was created to help protect consumers just as in cases like this or put in regulations requiring these credit reporting agencies to protect us. What happened to that agency Mick?
Jodrake (Columbus, OH)
@Concerned for the Future It suffered death by a thousand republican cuts.
Gregory Ziegler (Washington, District of Columbia)
There should be an investigation on insider trading for any person who sold Equifax stock before they revealed news of the security breach to the public. Prosecutors need to stop ill-received gains of companies like Equifax, Enron, and others to restore consumer confidence and humanity's trust of capitalism as a whole.
TNelson (Seattle)
And all the executives who sold stock the day or two before the breach was publicly announced will have to forfeit the gains right? Right?
See also