Local people who had their personal information hacked during a 2017 Equifax data breach may not know it yet, as hackers sometimes wait years to use Social Security and driver’s license numbers, an area cyber security expert says.
The credit checking company agreed Monday to pay at least $700 million to resolve consumer claims and multiple state and federal investigations stemming from the data breach.
The settlement with Equifax is the largest in U.S. history, according to Ohio’s attorney general office, which was part of negotiations following the hack that exposed sensitive information of more than 148 million people.
“Early on, other experts were indicating that this could be something that one year, two, three years down the road, this information may be used,” said Shawn Waldman, CEO and founder of Miamisburg-based Secure Cyber Defense. “There was so much information made available to (the hackers), it could take a long time for this to really get sorted out through the dark web and through the other criminal channels.”
A coalition of state attorneys general found that Equifax failed “to maintain reasonable security systems,” allowing hackers to breach the data, according to a statement from Ohio Attorney General Dave Yost’s office. Breached data included Social Security numbers, names, dates of birth and addresses, along with credit card and driver’s license numbers in some cases.
“Today’s constant threat of cybercrime leaves no room for stewards of the public’s data to ignore security flaws,” Yost said. “Equifax knew about its vulnerability for months ahead of the breach but did nothing to plug the gap in its defenses. A swift response could have prevented this whole ordeal.”
The settlement includes up to $425 million to a consumer restitution fund. The money can be used to reimburse time and money those impacted spend to protect themselves from threats resulting from the breaches.
“We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program,” said Equifax CEO Mark Begor.
Ohio will receive at least $7.14 million as part of a $175 million payment to states involved. Equifax will also be required to pay a $100 million penalty to the Consumer Financial Protection Bureau, according to a release from CFPB.
Affected consumers can also get extended credit-monitoring services for at least 10 years from Equifax, something Waldman said is the most important for impacted consumers.
“Your Social Security number is your Social Security number. There’s no changing that,” Waldman said. “Don’t let your guard down because that’s what they want you to do.”
Consumers can also monitor banks and other financial connections closely, set up credit card and bank transaction notifications and freeze credit so nobody else can’t use their information to take out loans or open accounts.
Consumers eligible for restitution can submit claims online or by mail. They can also call a settlement administrator at 1-833-759-2982 for more information.
Equifax first announced its data breach on Sept. 7, 2017, after it went unnoticed for 76 days, the 47-state investigation found. In addition to to failing to have an adequate security program, Equifax didn’t replace software that monitored the breached network for suspicious activity, according to Yost’s statement.
As part of the settlement, Equifax will take additional measures to better protect consumers’ information in the future, according to the release.
These include: making it easier to freeze and thaw credit, making it easier for consumers to dispute inaccurate information on credit reports, maintaining sufficient staff to assist consumers who may be victims of identity theft, strengthening its security practices, reorganizing its data security team, minimizing its collection of sensitive data and the use of consumers’ Social Security numbers and performing regular security monitoring.
“For a credit bureau to be compromised, that was a pretty good breach of trust,” Waldman said. “The larger you are, the more valuable the information, the more you’re going to be a target and the more you’ve got to up your game from a cyber security perspective.”
FIVE FAST READS
Thank you for reading the Dayton Daily News and for supporting local journalism. Subscribers: log in for access to your daily ePaper and premium newsletters.
Thank you for supporting in-depth local journalism with your subscription to the Dayton Daily News. Get more news when you want it with email newsletters just for subscribers. Sign up here.