Equifax Pays $19.5 Million to Settle Indiana Class Action Data Breach Lawsuit

Ripples of the major data breach continue to be felt. Equifax has recently paid $19.5 million to settle a class action lawsuit in Indiana.

The saga of the Equifax data breach continues more than two years after the initial breach. The initial breach took place sometime in 2017 and we were able to first pick up the saga in 2018 when the discovered breach wound up being worse than initially reported. At the time, the number of American’s affected reached 145 million or over half the countries population. In March, those numbers ballooned yet again to nearly 150 million American’s. At that point, many were calling it one of the worst US data breaches in history.

By September, the company was fined £500,000 in the UK over the breach. GDPR wasn’t in force at the time, so really, in that regard, the company got off quite easy on that one. Of course, back in the US, the story wound up being very different.

In May of last year, the Indiana Attorney General filed a lawsuit against the company. After stories swirled about how an executive held off on informing the public so he could sell his shares to avoid personal losses, a jail sentence was then handed down to the executive in question in July of last year. The executive was forced to pay back the money he saved by withholding the information from the public.

Later on in the same month, reports surfaced that the company settled for $700 million. When it came time to start giving settlements to average American’s, it became clear by August that not everyone affected will get their $125 payout. By September, bureaucratic hurdles were thrown up to encourage people to accept free credit monitoring instead. That move sparked criticism from consumer rights organizations.

Fast forward to this year, the US Justice Department handed out four charges against 4 alleged Chinese hackers over the breach. At the same time, Equifax found itself needing to pay an additional $100 million.

If you thought the story might finally be over, you’d be wrong. Reports are surfacing that Equifax has now settled a class action lawsuit that was filed in Indiana. The credit monitoring agency is expected to pay an estimated $19.5 million. From InfoSecurity:

The Hoosier State filed the suit against Equifax after a major data breach at the organization exposed the personal information of over half of all Americans, including 3.9 million Indiana residents.

Between May and June of 2017, threat actors exploited an unpatched Apache Struts vulnerability to gain access to the personal information of around 150 million Equifax customers, about 56% of Americans. Information illegally accessed and copied by the cyber-criminals included highly sensitive financial data, driver’s license numbers, and Social Security numbers.

Indiana’s suit was brought by the state’s attorney general, Curtis Hill. In it, Equifax is accused of failing to adequately protect the state’s residents’ private information.

Under the terms of the settlement, in addition to paying Indiana $19.5m, Equifax must resolve any lingering cybersecurity issues and take action to safeguard information against future cyber-attacks.

Indiana is one of only two states that opted not to participate in a multi-state suit brought against Equifax following the catastrophic breach. This jointly brought suit was settled in July 2019 for the eye-watering sum of $700m with the US Federal Trade Commission, Consumer Financial Protection Bureau, and 48 states and territories.

It may be surprising how long this story has been going on, but with a data breach of this magnitude that occurred in the US, it really shouldn’t be a surprise. Lawsuits do take time to work through the court systems even when the outcome seems to be all but certain.

Still, if you ever wondered how bad things could possibly get when a data breach occurs, this is a great example of just how bad things can spiral out of control. Of all the security incident stories we’ve covered, this is probably the only one where an executive actually received a jail sentence. We’ve seen executives get interrogated before, but an actual jail sentence is something of a novelty for us.

How much more momentum this story has remains unclear, but we’ll keep an eye out for any further developments thi story has to offer.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: