Equifax finally coughs up the money for its 2017 monster hack… to the banks for having to cancel your cards
What did happen to the $125 everyone was promised?
Equifax has finally agreed to pay compensation for the massive security breach it suffered in 2017 that led to the theft of at least 146 million people's personal info.
But before you get excited, the money won’t be going to you, but rather to your bank, which will be paid for the hassle of having to cancel your payment cards.
The credit agency has agreed [PDF] to pay $5.5m to thousands of banks and credit unions who said they were injured by their customers’ details being siphoned off by hackers, and a further $25m to beef up data security. Equifax will also cover the banks' administrative costs, attorney fees, and relevant expenses.
Which begs the question: what happened to the $125 that America's consumer watchdog, the FTC, proudly announced that folks would get thanks to its record-breaking $700m settlement with Equifax?
It’s been more than two-and-a-half years since the biz was thoroughly hacked, and just under a year since the $700m settlement was agreed, so it’s perhaps surprising that not a cent appears to been given to the people directly impacted by the cyber-break-in.
Even now, with a final settlement approved in December 2019 and a deadline to apply for the money of January 22, 2020 – four months ago – Equifax still apparently hasn’t sent out any checks and still hasn’t given a firm date for when it will do. Questions from The Register on the topic have gone unanswered.
Equifax has gone out of its way to limit the number of applicants, in large part it seems to avoid the embarrassment of admitting how bad the deal is for you and me. The $125 headline figure, it turns out, has assumed that only a very small percentage of those eligible would actually apply.
But thanks to the sheer size of the leak, the issue was extensively covered in the press and that massively increased the number of people who applied for compo. This forced the FTC to admit that it hadn’t agreed a per-violation fine, but rather a lump sum that would be split equally between applicants.
So, about that money...
Not only that but behind the $700m headline figure was a different reality: the FTC had agreed to just $31m for the pot that was to be split equally among individual applicants. The rest was earmarked for those who demonstrated they were left out of pocket by the hack, mitigations, money for states, and so on.
Since then, Equifax put hurdle in front of hurdle to dissuade people from actually asking for the cash: you were only entitled to the dosh if you already had a credit monitoring service; otherwise your compensation would be access to Experian’s service for four years followed by Equifax’s own service for a further six – an offer that it claimed with a straight face was worth much money than the $125 in hard cash.
Equifax is going to make you work for that 125 bucks it owes each of you: Biz sneaks out Friday night rule changeREAD MORE
When that had limited impact and the FTC was still swamped by applications, the regulator got in on the action and urged people to take the credit monitoring deal, warning that they won’t get anywhere near $125 and so the credit monitoring was better than a tiny sum.
But it became clear everyone still wanted the cash, so Equifax explained that it would need evidence from everyone that they had a credit monitoring service, along with a wealth of other personal data provided through an online form. How would 147 million people know where to find the form? It was in a single email sent out, pointing to a website with more information: EquifaxBreachSettlement.com.
So why has the money still not turned up? It may have something to do with the 1,000-plus people who were unhappy with the FTC deal, and filed an objection to it, looking to run a class-action lawsuit against the company instead.
Enter Ted Frank
A settlement in that case was due to be approved in January – just before the FTC application deadline – but has itself run into legal problems. There were more than 700 class members who objected to that deal, including foe of bad class-action lawsuits Ted Frank, yet the judge threw out all of their objections and, somewhat oddly, attacked [PDF] Frank for being a “serial objector.”
Frank has been a one-man crusader for fixing the law around class-action lawsuits, and argued at the Supreme Court in an effort to fix the rules about where a lot of class action money actually goes (short version: to the lawyers’ old law schools, rather than the people affected.)
Frank strongly suspects that the judge simply signed off on the deal cooked up by the lawyers, and has now argued to the appeals courts that the judge had “improperly relied” on the legal eagles when drafting his opinion.
So while Equifax settles with states, and banks, and hopefully those consumers who rejected the FTC’s terrible deal, it seems that no money will be forthcoming for those who have gone to the trouble of trying to get the $125 they were promised. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust