Equifax finally coughs up the money for its 2017 monster hack… to the banks for having to cancel your cards

What did happen to the $125 everyone was promised?

Equifax has finally agreed to pay compensation for the massive security breach it suffered in 2017 that led to the theft of at least 146 million people's personal info.

But before you get excited, the money won’t be going to you, but rather to your bank, which will be paid for the hassle of having to cancel your payment cards.

The credit agency has agreed [PDF] to pay $5.5m to thousands of banks and credit unions who said they were injured by their customers’ details being siphoned off by hackers, and a further $25m to beef up data security. Equifax will also cover the banks' administrative costs, attorney fees, and relevant expenses.

Which begs the question: what happened to the $125 that America's consumer watchdog, the FTC, proudly announced that folks would get thanks to its record-breaking $700m settlement with Equifax?

It’s been more than two-and-a-half years since the biz was thoroughly hacked, and just under a year since the $700m settlement was agreed, so it’s perhaps surprising that not a cent appears to been given to the people directly impacted by the cyber-break-in.

Even now, with a final settlement approved in December 2019 and a deadline to apply for the money of January 22, 2020 – four months ago – Equifax still apparently hasn’t sent out any checks and still hasn’t given a firm date for when it will do. Questions from The Register on the topic have gone unanswered.

Equifax has gone out of its way to limit the number of applicants, in large part it seems to avoid the embarrassment of admitting how bad the deal is for you and me. The $125 headline figure, it turns out, has assumed that only a very small percentage of those eligible would actually apply.

But thanks to the sheer size of the leak, the issue was extensively covered in the press and that massively increased the number of people who applied for compo. This forced the FTC to admit that it hadn’t agreed a per-violation fine, but rather a lump sum that would be split equally between applicants.

So, about that money...

Not only that but behind the $700m headline figure was a different reality: the FTC had agreed to just $31m for the pot that was to be split equally among individual applicants. The rest was earmarked for those who demonstrated they were left out of pocket by the hack, mitigations, money for states, and so on.

Since then, Equifax put hurdle in front of hurdle to dissuade people from actually asking for the cash: you were only entitled to the dosh if you already had a credit monitoring service; otherwise your compensation would be access to Experian’s service for four years followed by Equifax’s own service for a further six – an offer that it claimed with a straight face was worth much money than the $125 in hard cash.


Equifax is going to make you work for that 125 bucks it owes each of you: Biz sneaks out Friday night rule change


When that had limited impact and the FTC was still swamped by applications, the regulator got in on the action and urged people to take the credit monitoring deal, warning that they won’t get anywhere near $125 and so the credit monitoring was better than a tiny sum.

But it became clear everyone still wanted the cash, so Equifax explained that it would need evidence from everyone that they had a credit monitoring service, along with a wealth of other personal data provided through an online form. How would 147 million people know where to find the form? It was in a single email sent out, pointing to a website with more information: EquifaxBreachSettlement.com.

So why has the money still not turned up? It may have something to do with the 1,000-plus people who were unhappy with the FTC deal, and filed an objection to it, looking to run a class-action lawsuit against the company instead.

Enter Ted Frank

A settlement in that case was due to be approved in January – just before the FTC application deadline – but has itself run into legal problems. There were more than 700 class members who objected to that deal, including foe of bad class-action lawsuits Ted Frank, yet the judge threw out all of their objections and, somewhat oddly, attacked [PDF] Frank for being a “serial objector.”

Frank has been a one-man crusader for fixing the law around class-action lawsuits, and argued at the Supreme Court in an effort to fix the rules about where a lot of class action money actually goes (short version: to the lawyers’ old law schools, rather than the people affected.)

Frank strongly suspects that the judge simply signed off on the deal cooked up by the lawyers, and has now argued to the appeals courts that the judge had “improperly relied” on the legal eagles when drafting his opinion.

So while Equifax settles with states, and banks, and hopefully those consumers who rejected the FTC’s terrible deal, it seems that no money will be forthcoming for those who have gone to the trouble of trying to get the $125 they were promised. ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022