Equifax pays Indiana $19.5m to settle data breach case

Consumer credit reporting company Equifax has shelled out $19.5m to settle a class-action lawsuit brought by the State of Indiana.

The Hoosier State filed the suit against Equifax after a major data breach at the organization exposed the personal information of over half of all Americans, including 3.9 million Indiana residents. 

Between May and June of 2017, threat actors exploited an unpatched Apache Struts vulnerability to gain access to the personal information of around 150 million Equifax customers, about 56% of Americans. Information illegally accessed and copied by the cyber-criminals included highly sensitive financial data, driver's license numbers, and Social Security numbers.

Equifax discovered that a breach had occurred in July 2019. The company neglected to disclose the major cyber-incident until close of trading six weeks later. 

Indiana's suit was brought by the state's attorney general, Curtis Hill. In it, Equifax is accused of failing to adequately protect the state's residents' private information. 

Under the terms of the settlement, in addition to paying Indiana $19.5m, Equifax must resolve any lingering cybersecurity issues and take action to safeguard information against future cyber-attacks. 

Indiana is one of only two states that opted not to participate in a multi-state suit brought against Equifax following the catastrophic breach. This jointly brought suit was settled in July 2019 for the eye-watering sum of $700m with the US Federal Trade Commission, Consumer Financial Protection Bureau, and 48 states and territories. 

Like Indiana, Massachusetts decided to go it alone when tackling Equifax over the breach. The state's attorney general, Maura Healey, filed a complaint against the company in Suffolk Superior Court in September 2017. 

An investigation by the Information Commissioner Office (ICO) into the data breach found that the US Department for Homeland Security had warned Equifax about cybersecurity vulnerabilities in its computer systems in 2017 before the attack took place. According to the ICO, Equifax chose not to heed the department's warning.

The ICO slapped Equifax with a fine of $660,000 in September 2018 for failing to protect customers' personal and financial data. 

Equifax is one of three national credit bureaus that collect and retain data on every American regarding how many credit cards they have, how much money they owe, and how they pay their bills. The company profits from this data by using it create a report that is sold on to businesses. Americans are not allowed to opt out of this data collection.

What’s Hot on Infosecurity Magazine?