Between May and June 2017, cyber-criminals gained access to around 150 million records of Atlanta-based credit monitoring service Equifax by exploiting an unpatched Apache Struts vulnerability.
The breach impacted roughly 56% of America’s population and millions of consumers in the UK, costing Equifax over $1.35bn in losses.
Information exposed included names, Social Security numbers, dates of birth, addresses, and in some cases, driver license numbers.
A suit brought against Equifax by financial institutions after they were forced to absorb the expense of the breach has now been settled.
Chief Judge Thomas Thrash of the Northern District of Georgia gave final approval to the $7.75m settlement yesterday during a hearing held via Zoom. Legal fees of $2m were included in the resolution.
As part of the agreement, Equifax has committed to investing an additional $25m to enhance data security measures tailored to financial institutions. The investment is scheduled to occur over the next two years.
Thrash described the settlement as “an excellent one” and said that the class lawyers’ request for $2m in legal fees was “appropriate.”
“The fact there were no objections from class members weighs in favor of approving the settlement,” stated Thrash.
Equifax has ring-fenced $5.5m to pay up to $5,000 to each financial institution for costs associated with the theft of customers’ personal information or fraud losses.
Each of the 21 financial institutions listed as plaintiffs in the multi-district litigation will be paid $1,500 from the fund.
The settlement with the financial institutions is separate from a $1.4bn settlement reached by Equifax in December 2019 with legal representatives of roughly 147 million consumers whose data was exposed in the 2017 breach. Included in that settlement was $77.5m in legal fees and over $1.4m in expenses for class-action lawyers.
In April this year, Equifax agreed to pay $19.5m to settle a separate class-action lawsuit brought by the State of Indiana over the 2017 data breach.