Photo – Hermes ivera – Unsplash
A brief overview of the situation
In 2017, Equifax credit bureau reported a massive cyber attack that resulted in stole personal data of nearly 150 million Americans. Then Ars Technica Edition called this situation is the “worst leak of all time”, because it affected social security numbers, credit cards and driver’s licenses. The reason was a vulnerability in the open Apache Struts framework (CVE-2017-5638) associated with an error in handling exceptions when downloading files. Equifax specialists did not have time to install the “patch” released in two months before the cyberattack.
Several regulators took up the investigation at once: the US Federal Trade Commission (FTC), the Bureau of Financial Consumer Protection and prosecutors in most states. As a result, the credit bureau agreed pay compensation in the amount of $ 700 million – this amount includes fines and payments for US citizens whose data leaked to the network. However, the size of these payments has raised questions.
Why are the payouts so small
The situation with Equifax received wide media coverage, and the bureau was criticized by the community. Despite this fact, US citizens are in no hurry to receive their compensation – currently statements filed about 10% of the victims. They were offered two payment options: compensation for credit monitoring costs of $ 125 or cash.
And then the organization ran into difficulties. Equifax did not expect that most would go the second way. The cash fund allocated for direct payments amounted to only $ 31 million. As a result, the amount that a person can get on hand, decreased up to $ 6.8.
It is not yet clear how the situation will develop further, but the FTC has connected to its decision – the commission published an open letter urging citizens to refuse cash and choose compensation for credit monitoring expenses.
Photo – Barthelemy de mazenod – Unsplash
At the beginning of the year, an American court completed the consideration of another case related to a leak in a credit bureau. Equifax more will pay up to $ 20 thousand to all customers who suffered financial losses due to the drain of personal data. The court also ordered the bureau to direct $ 1 billion to develop IT infrastructure and increase the protection of PD. Although the organization notes that in the period from 2018 to 2020 already allocated billion dollars to strengthen information security.
Who else paid and will pay for leaks
Over the past few years, Equifax’s data leak has become one of the largest, but not the only one. For example, in October 2019, Yahoo agreed spend $ 117.5 million on payments to users affected by the “discharge” of PD in 2013. According to preliminary estimates, each of them will receive approximately $ 358. Although experts expect that in practice this amount will be significantly less (as is the case with Equifax).
In the near future, Facebook will have to make a large payment. Autumn on the Internet hit more than 400 million phone numbers of users of the social network, since their database was stored on an insecure server. One of the first who was interested in this issue was the Irish regulator, and according to GDPR he may impose a fine in the amount of $ 2.2 billion. But it is too early to say how much of this amount will go directly to payments to affected users.
Given the regular hacks and drains, you need to stay on your guard: take measures to protect personal data and study materials on the topic yourself – so we prepared a small digest (at the end of the post).
More content on our corporate blog:
Potential attacks on HTTPS and how to defend against them
How to “cover your tracks” and remove yourself from most popular services
How to protect a virtual server on the Internet
Benchmarks for Linux servers