Government

Equifax settles with Massachusetts, Indiana for nearly $40 million

The resolutions end state claims filed in connection with the 2017 data breach.

April 17, 2020

(Flickr / thaneesh raane)

Nearly three years after one of the largest data breaches in history, state attorneys general still are making Equifax pay.

Massachusetts Attorney General Maura Healy announced Friday the credit processing company has agreed to pay $18.2 million and update its cybersecurity protocols. The settlement will end claims filed in connection with the company’s failure to stop a 2017 data breach that affected roughly 145 million Americans, including roughly 3 million Massachusetts residents.

The announcement comes one day after Indiana Attorney General Curtis Hill said his office has agreed to resolve a class action suit against Equifax for $19.5 million. Both settlements come after Equifax agreed in January to pay $380.5 million as part of yet another settlement with U.S. regulators. Equifax also will be required to spend at least $1 billion on improving its data protection capabilities, and may be required to cover an additional $125 million to cover out-of-pocket claims.

Massachusetts and Indiana did not join other states in the suit against Equifax.

The Massachusetts suit alleged that Equifax had failed to sufficiently protest user data, and then violated state law by delaying notification of the incident for more than a month. Officials in Indiana had similarly alleged that Equifax was negligent in protecting user data.

“Equifax had a duty to protect the private information of our consumers and it failed massively — leading to the worst data breach in history,” Massachusetts Attorney General Maura Healy said in a statement Friday. “Our office secured a significant penalty from Equifax to ensure accountability for this inexcusable conduct.”

The U.S. Department of Justice has indicted four suspected state-sponsored hackers from China in connection with the breach. The attack resulted in the theft of names addresses, birth dates, Social Security numbers and driver’s licenses, and only was possible because Equifax failed to patch a known vulnerability in its systems. Former Department of Justice officials also have criticized the company’s response to the breach.

Equifax settles with Massachusetts, Indiana for nearly $40 million

More Like This

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

SEC’s breach disclosure rule raises concerns about tipping off hackers to flawed systems

Atlassian vulnerability at fault in GAO breach

Top Stories

‘Large volume’ of data stolen from UN agency after ransomware attack

FBI director warns of China’s preparations for disruptive infrastructure attacks

More Scoops

GoodRx will settle claim it shared sensitive health data with advertisers

Regulators slam Twitter with $150M fine over using consumer security data for advertising

FTC settlement requires CafePress owners to pay $500,000 to victims of 2019 data breach

Personal data from T-Mobile breach still spreading on dark web, state governments warn

FTC wants to know when financial data is compromised, will require encryption

SEC, education company Pearson settle charges over 2018 security incident for $1 million

Courts order handover of breach forensic reports in trend welcomed by consumers, feared by defendants

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics