Consumer credit reporting agency Equifax has to make a payment of $19.5m to settle a lawsuit submitted by the State of Indiana.
Equifax was filed with a lawsuit by the Hoosier State after a major data breach at the company exposed the personal information of more than half of all Americans, including 3.9 million Indiana residents.
The data breach which occurred between May and June of 2017, lead to exploitation of an unpatched Apache Struts vulnerability to attain access to the personal information of around 150 million Equifax customers. The data accessed by the attackers include highly sensitive financial data, driver’s license, and Social Security numbers.
Equifax discovered about the breach in July 2017 and failed to disclose the major cyber-incident until close of trading six weeks later.
Indiana’s suit accused Equifax of failing to adequately protect the state’s residents’ private information and it was brought by the state’s attorney general, Curtis Hill.
According to the terms of the settlement, Equifax has to pay Indiana $19.5m and must also resolve any remaining cybersecurity issues and take action to safeguard information against future cyber-attacks.
Indiana is one of only two states that opted not to participate in a multi-state suit brought against Equifax following the breach. This jointly brought suit was settled in July 2019 for a sum of $700m with the US Federal Trade Commission, Consumer Financial Protection Bureau, and 48 states and territories.
Investigation conducted by the Information Commissioner Office (ICO) found that the US Department for Homeland Security had warned Equifax in 2017 before the attack occurred, regarding the existence of cybersecurity vulnerabilities in its computer systems. But Equifax gave no attention to the department’s warning.
ICO hit Equifax with a fine of $660,000 in September 2018 for failing to protect customers’ personal and financial data.
Equifax collects and retains data on every American about the number of credit cards they own, how much money they owe, and how they make the payments. This data is then used by the company to create a report which is sold on to businesses to make profit. The Americans are not permitted to opt out of this data collection.