A lot has happened since 2017, but one thing remains as true now as it was then. The ramifications of the devastating Equifax security breach are still being felt by both the company and the public. Most recently, on October 22, 2020, a Federal Judge in Atlanta approved a $7.75 million class action settlement against Equifax, Infosecurity reported. The settlement comes as impacted residents in Indiana are just starting to receive payment from a separate class action settlement.
Equifax is one of the largest consumer credit reporting agencies in the world, and was charged with monitoring the credit of millions of Americans by the federal government. As a result, the company had access to millions of Americans' personal information, much of which was stolen by hackers in the 2017 data breach. These hackers were able to enter the Equifax system using known vulnerabilities in open source Java code.
A major settlement
The Atlanta case was heard in the Northern District of Georgia and presided over by Chief Judge Thomas Thrash, via Zoom. Rather than individuals whose personal information was stolen, the plaintiffs in this case were 21 financial institutions whose customers had been affected. In many cases, the financial institutions had had to take on the initial costs of the breach while litigation against Equifax was ongoing.
The $7.75 million settlement total included $2 million set aside for legal fees, leaving $5.5 million to be distributed amongst the plaintiffs. As a part of the settlement, Equifax was also required to invest an additional $25 million into the financial institutions data security over the next two years.
In a statement, Judge Thrash said that he felt the settlement amount and distribution was fair to all parties involved.
"The fact there were no objections from class members weighs in favor of approving the settlement," said Thrash, per the news source.
Restitution in Indiana
In Indiana, meanwhile, State Attorney General Curtis Hill announced the debut of a web portal that Hoosier State residents who had been affected by the Equifax breach can use to file for compensation, according to 13WTHR, the local NBC affiliate of Indianapolis. The money for restitution comes from a $19.5 million settlement reached between Indiana and Equifax in April, 2020. Hill announced the portal on October 6, 2020. All claims are due by December 16, 2020.
"Millions of Indiana residents were endangered financially due to Equifax's failure to protect the personal information it was entrusted to keep private… We encourage these consumers to visit this website and claim the money they deserve," said Hill, as quoted by the news source.
According to WRBI, a news radio station based in Batesville, Indiana, consumers can go onto the website IndianaEquifaxClaims.com and enter their information to see if they have a case. Information that was stolen from Indiana residents included addresses, credit card information, dates of birth, driver's license numbers and Social Security numbers. The state estimates that about $3.9 million of its residents may be eligible.
Both the Atlanta and Indiana class action settlements are separate from the massive $1.4 billion settlement reached with the federal government, in representation of the millions of impacted consumers in America.
The shortcomings of Java
The 2017 Equifax data breach was one of the largest cybersecurity breaches in American history. Data was stolen from a staggering 143 million Americans, or about 40% of the population, according to CSO United States. The crisis began in March 2017, when the company's java-based consumer complaint web portal was hacked. From there, hackers were able to move into other servers, finding usernames and passwords as they went along.
Much of the cases against Equifax stems from the way that human error and lax security measures contributed heavily to the crisis. The company's consumer complaint web portal was accessed through a well known vulnerability that had simply not been patched in a timely manner. Once hackers had entered this system this way, they were about to access passwords and data because the web portal wasn't segmented off from other servers. In addition, the hack went largely undetected for months because Equifax had not renewed a vital encryption certificate.
While Equifax's oversights were especially egregious, considering the amount and sensitivity of the data they were protecting, anyone using a long established, open source coding language like Java runs a very similar risk. Luckily, terminal emulation programming from Inventu can remove Java code and keep your organization safe from data breaches and other threats.