One of the largest breaches of data in recent memory is the attack on Equifax that exfiltrated hundreds of millions of records. Equifax, one of the world’s largest consumer credit report companies, was attacked during a period of 3 months from May to July in 2017. The effects of the breach are yet to be exhausted and the impact continues to affect thousands of Americans. The company offered free credit monitoring or a cash settlement, but there is a catch.
Equifax Web Portal’s Security
According to reports, the attack was made possible through an Equifax web portal that was intended to be available only to Equifax employees. Turns out, the portal wasn’t as secure as Equifax’s security team had thought. In fact, it was hardly even secured at all. The fault in the web portal’s security was discovered by a security researcher who discovered that the portal could be accessed by non-employees due to a basic “forced-browsing” bug. The researcher went on to download the data of hundreds of thousands of Americans as a means to bring light on the issue to Equifax’s security team. Luckily for Equifax, the researcher was only trying to protect the records of those Americans. The anonymous security researcher wanted to prevent a breach from cyber criminals that would exploit the data.
Seth Klarman’s Collective Wisdom: Risk Analysis Is The Key To Investment Success
Please note this article is based on publicly available information, however ValueWalk just received Baupost's 2018 letter moments ago and will have exclusive coverage shortly. Seth Klarman is widely regarded as one of the best value investors the world has ever seen. Over the past few decades, his hedge fund, the Boston-based Baupost, has achieved Read More
Unfortunately for Equifax - and more importantly those affected - increased security measures of the web portal and Equifax’s servers were not put into place effectively, the report later reveals. A sure indication of Equifax’s security ignorance that would come to practically destroy the company’s reputation only a couple of months later...
In May of 2017, the attacks began. Hackers were able to exploit one of Equifax’s outdated web servers as a means to steal personally identifying information of Equifax consumers. The hackers were able to exploit more than 140 million records of Americans before the attack was detected and finally halted in late July of 2017. At the time, the attack was considered to be the biggest data breaches in history.
Types Of Data Exposed
The types of data exposed from the breach included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. On top of that, the credit card numbers of approximately 209,000 consumers were also breached.
To further indicate the company and its leadership’s negligence to protect consumer data, the breach was not publicized until more than a month after they had discovered it happened. During the period between the breach’s discovery and it being publicly announced, Equifax top executives were selling off company stocks which gave rise to accusations of insider trading.
Finally, in September of 2017, Equifax came forth and publicly announced the breach.
Fast forward to July 22 of 2019 when Equifax came to a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 states of the USA to pay at least $575 million, with $425 million of that settlement set to help those affected by the data breach.
Equifax Offered $125 Cash Or A Free Credit Monitoring As Settlement
Shortly after the settlement, Equifax consumers that were affected were told that they would be entitled to their choice of $125 cash or a free credit monitoring service. Unsurprisingly, the majority of consumers opted for the $125 cash.
But, here’s the catch - Equifax has only allotted a total of $31 million to reimburse those consumers who had their data compromised. $31 million to reimburse roughly 147 million Americans with $125 cash. That would mean that Equifax would need over 3 billion to pay out the consumers $125 each, which isn’t going to happen according to the Equifax and the Federal Trade Commission. As stated on the FTC’s settlement page, “each person who takes the money option is likely to get a very small amount”.
Basically - the more that people signed up, the less cash there was to payout.
Take the free credit monitoring
The realization that Equifax would not be able to pay their promised $125 cash caused a commotion among those that had applied for their reimbursement and made headlines across the nation.
If you were one of those affected by the Equifax data breach of 2017 (which is likely if you’re American since nearly 50% of the US population was affected), good luck getting the $125 you were told you’d receive. You’re better off opting for the alternative option that guarantees free credit monitoring at the three main bureaus - Equifax, Experian, and TransUnion - for up to 10 years, plus $1 million in identity theft insurance. The market value of those services is equivalent to hundreds of dollars per year.
But then again, who wants to deal with Equifax anymore anyway?...