Equifax allowed the private information of almost half the U.S. population to be stolen in a massive data breach in 2017 after failing to patch a security flaw, and now so many victims are choosing a $125 cash payment over credit monitoring, they’re blowing up the math of the mega-settlement announced July 22.
The Federal Trade Commission sent out statements on Wednesday including a press release and a blog post assuring victims a payment was still a choice but it urged people to chose the credit monitoring. The statements said if victims wanted a payment the actual amount would be much smaller than the $125 initially offered because they hadn’t foreseen that so many people would want the cash. FTC promised the payment-seekers: “You will be disappointed.”
A question and answer series on the FTC’s website said:
Question 5: I thought I could choose $125 instead of free credit monitoring. What happened?
Answer: The public response to the settlement has been overwhelming. Millions of people have visited this site in just the first week. Because the total amount available for these alternative payments is $31 million, each person who takes the money option is going to get a very small amount. Nowhere near the $125 they could have gotten if there hadn’t been such an enormous number of claims filed.
The answer ends with: “You can still choose the cash option on the claim form, but you will be disappointed with the amount you receive and you won’t get the free credit monitoring.”
That prompted one Twitter user to comment, “It's ironic because paying less than the full amount is exactly what Equifax tracks and punishes you for.”
Equifax and the FTC declined to comment.
In the same Q&A, the FTC also said: “The free credit monitoring provides a much better value, and everyone whose information was exposed can take advantage of it. If your information was exposed in the data breach, and you file a valid claim before the deadline, you are guaranteed at least four years of free monitoring at all three credit bureaus (Equifax, Experian, and TransUnion) and $1,000,000 of identity theft insurance, among other benefits. The market value of this product is hundreds of dollars per year.”
The 294-page agreement laid out details, including $300 million for credit monitoring services, $175 million to states and $100 million in penalties to the CFPB. Another $125 million could be added to that if the initial amount isn't enough to cover consumers' losses, bringing the total potential tab up to $700 million, the FTC said. According to the agreement, Equifax estimated the number of victims to be about 147 million, which equals almost half of the overall U.S. population and, if you're not counting children, about two-thirds of the nation's adult population based on 2018 Census data.
In Oct. 2017 sworn testimony to Congress, Equifax’s former CEO Richard Smith, who had retired at the age of 57 a month earlier as part of the fallout of the breach, laid out what happened. According to Smith's testimony:
On March 8, 2017, the U.S. Department of Homeland Security sent Equifax notice of the need to patch a security vulnerability in software it was using. The following day, Equifax sent an internal email to its security department ordering its workers to install an available software update that would fix the problem. The patch wasn’t made, and there was no follow-up to check if it was done.
On July 29, almost five months later, Equifax’s security department observed suspicious network traffic and the following day shut down the vulnerable program. Smith, as CEO, learned of the suspicious activity on Aug. 2 and hired an outside investigator. On Aug. 22, Smith informed the Equifax board of directors that the personal information of more than 140 million people had been stolen and on Sept. 7 the company informed victims via a national announcement.
U.S. House of Representatives Oversight Committee said in a Dec. 2018 report: “Equifax failed to modernize its technology security to match the company’s aggressive growth strategy and data gathering, a shortcoming that left it open to the 2017 hack, and failed to patch its network after being alerted in March 2017 to a security vulnerability.”
The report continued: “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented.”