Equifax to Pay $18M Over Data Breach Affecting Nearly Three Million Mass. Residents

April 20, 2020

One of the largest consumer credit reporting agencies in the country has agreed to pay $18.2 million and undertake significant injunctive relief following a massive data breach in 2017 that compromised the personal information of nearly three million Massachusetts residents, Attorney General Maura Healey announced in a press release issued by her office.

The consent judgment, approved by a Suffolk Superior Court judge on April 13, resolves the AG’s 2017 lawsuit alleging that Equifax failed to patch a known vulnerability in its network, allowing hackers to infiltrate its systems and access the sensitive personal information of least 147 million consumers nationwide.

“Equifax had a duty to protect the private information of our consumers and it failed massively – leading to the worst data breach in history,” Healey said in the release. “Our office secured a significant penalty from Equifax to ensure accountability for this inexcusable conduct. The company will implement stringent measures to strengthen its security practices and keep our data safe.”

When Equifax announced the data breach in early September 2017, Healey launched an investigation to determine the risk to consumers and whether the company had proper safeguards in place to protect consumer information. The AG’s Office then sued Equifax under Massachusetts consumer protection and data privacy laws.

According to the AG’s complaint, unauthorized third parties infiltrated Equifax’s computer system through its website for months without the company detecting them and stole sensitive and personal consumer information.

This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that “criminals” exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

The complaint alleged Equifax lacked sufficient safeguards to protect consumers’ personal data in its system. The complaint further alleged that Equifax violated Massachusetts law by delaying notice of the breach. According to the AG’s complaint, Equifax knew about the breach around July 29, 2017, yet did not notify the AG’s Office or consumers until Sept. 7, 2017.

Under the terms of the proposed settlement, Equifax will pay a $18.2 million penalty to Massachusetts, a portion of which the AG’s Office will use to support local consumer aid programs.

The settlement also requires Equifax to take steps to strengthen its security practices and bring them into compliance with Massachusetts law, including regular monitoring, identifying critical security updates, minimizing its collection of sensitive data, improving account management tools, and allowing third-party assessments of its data safeguards.

Massachusetts consumers affected by the breach can seek available relief under the settlements that Equifax reached in July 2019 with 50 states and U.S. territories, the Federal Trade Commission, the Consumer Financial Protection Bureau, along with a national consumer class action suit.

Eligible consumers can file claims for relief from a Consumer Restitution Fund created under these settlements to obtain assistance in freezing and thawing their credit files, the opportunity to dispute inaccurate credit report information, and to seek payments and assistance in addressing identity theft that results from the breach.

Source: Massachusetts Attorney General’s Office

Topics Cyber Massachusetts

Was this article valuable?

Here are more articles you may enjoy.