Back in 2017, credit reporting bureau Equifax was hit with one of the most devastating data breaches on record. The company suffered a hack that compromised the personal information of 147 million Americans, including Social Security numbers, dates of birth and physical addresses. Now the multi-billion dollar corporation will finally pay up for its negligence — unfortunately, the penalty handed down from the United States' Federal Trade Commission feels a bit underwhelming. In a settlement announcement Monday, the FTC and Equifax agreed to a $575 million penalty that could balloon to as much as $700 million.
That money will be paid to the FTC, the Consumer Financial Protection Bureau (CFPB) and 50 U.S. states. $300 million will be set aside to create a fund that will provide consumers affected by the breach with credit monitoring services, with as much as $125 million more ready to be made available if that initial payment doesn't cover everyone. Starting in January 2020, the credit reporting bureau will be required to provide everyone in the U.S. with six free credit reports each year for seven years. Another $175 million will go to the states, while the CFPB will collect $100 million in civil penalties. FTC Chairman Joe Simons offered some strong words regarding Equifax, calling out the corporation for failing to "take basic steps that may have prevented the breach."
On paper, the penalty levied against Equifax for the breach has the appearance of being significant. It represents about 17 percent of the company's revenue last year, which isn't exactly chump change. But the company has been preparing for the fines to hit and set aside $700 million to cover the costs and by the time the FTC handed down the penalty, it barely registered as a blip on the radar for the credit reporting company. Equifax's stock actually went up Monday despite the announcement after it was revealed that the company would pay less than a quarter the amount of Facebook's $5 billion fine for its bevy of privacy violations.
Broken down by the number of people affected, Equifax ended up paying out about $4 per person who had their information compromised in the breach. Consumers who chose to freeze their credit after Equifax's lapse exposed them to the possibility of fraud and identity theft spent more than just trying to protect themselves. The cost of freezing credit is typically around $10 and typically has to be done with all three major credit reporting agencies — Equifax, Experian, and TransUnion. A 2018 survey commissioned by small business loan provider Fundera and conducted by Wakefield Research estimated that Americans spent about $1.4 billion in total trying to protect themselves following the data breach. Of course, that's nothing compared to the cost of actually having your accounts compromised or identity stolen. According to the U.S. Department of Justice, victims of identity theft lost on average $1,343 related to the compromise. Javelin Strategy and Research reported that 2017, the year of the Equifax breach, was the worst on record for instances of identity theft. As many as 16.7 million Americans were victims of some form of identity fraud, and costs related to the criminal activity hit $16.8 billion.
Given the sheer volume of data that Equifax allowed to be stolen by hackers and the ease at which it could be used to harm consumers, the $700 million penalty seems paltry compared to the potential cost of the damage done. That's only made worse with the understanding that the breach was avoidable. A U.S. House Oversight Committee report published last year concluded that the Equifax breach was "entirely preventable" and was the result of lax security practices that resulted in the company failing to take proper steps to secure the extremely sensitive data that it collects and maintains. The company failed to patch a security vulnerability highlighted by the Department of Homeland Security months before the breach occurred. It stored unencrypted passwords on its server, which allowed hackers to effortlessly access dozens of databases maintained by Equifax. It allowed the hackers more than two months of unfettered access to sensitive information, failing to catch the malicious actors despite more than 9,000 attempts to connect with the company databases and as many as 265 separate downloads of data occurring.
By all accounts, Equifax engaged in gross negligence. Still, the company will basically escape the incident unscathed. The $700 million fine will be a drop in the bucket for the company and a fraction of the amount Americans will likely end up spending trying to protect themselves and recover from fraud and identity theft enabled by the breach. Much of the data from the breach has yet to make its way online, suggesting the real cost of the breach for consumers is still to come. Only one executive at the company has received time behind bars for anything related to the breach, and that was for engaging in insider trading with knowledge of the security lapse, not for actually allowing the breach to happen or compromising personal information of more than half the adult population of the U.S. Even with the $700 million penalty, it's consumers that end up paying for Equifax's failures while the company gets to continue to operate and control massive amounts of sensitive information that it has already proven it can't sufficiently protect.