This Week in Data Breaches: Equifax Settles for $650 Million Over 2017 Data Breach
It’s been a big week in data security and privacy news. This week, Equifax settled with regulators for up to $650 million over the company’s 2017 data breach and there have been new reports on popular web browser extensions that are scraping the data of millions of users.
Equifax Settles for $650 Million Over 2017 Data Breach
Equifax, one of the big three US credit bureaus, has settled with the Federal Trade Commission (FTC) for at least $650 million over the company’s 2017 data breach in which the personal and financial information of 147 million people was stolen. The settlement, if approved by the court, will be one of the largest ever for a data breach. According to reports by the New York Times, $380.5 million will go towards a restitution fund for victims and Equifax will be required to provide up to 10 years of free credit monitoring services to those whose data was exposed in the breach.
The Equifax data breach was one of the most severe and alarming data breaches in US history. On September 7, 2017, Equifax announced that 143 million Americans' personal information, including names, social security numbers, addresses, birthdates, and credit card numbers, had been illegally accessed and stolen by hackers. The data breach exposed the highly sensitive private information of nearly half of the American population and put 147.7 million Americans at significantly increased risk of identity theft.
Until now, Equifax has mostly evaded accountability for the breach. Equifax will also pay $175 million in fines to end investigations currently ongoing by attorneys general around the country and a $100 million fine to the Consumer Financial Protection Bureau (CFPB). You can visit https://www.equifaxbreachsettlement.com/ for more information on how to file a claim and what benefits you may be eligible for. According to the site, which was setup by a third-party settlement administrator, victims may be able to claim as much as $20,000 for damages related to the breach.
Following news of the settlement, New York Attorney General Letitia James told the New York Times, “Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they have put at risk. This company’s ineptitude, negligence and lax security standards endangered the identities of half the U.S. population.”
For more information on the Equifax breach, check out our article on the hack one year later and our new guide to data breaches.
Web Browser Extensions Caught Scraping Data on Millions
Ars Technica and the Washington Post reported last week that some popular Firefox and Chrome browser extensions scraped and sold data on more than 4 million users in a scheme dubbed “DataSpii”. The seemingly innocuous extensions collected the URLs, page titles, and content of webpages that users visited and then sold the browsing histories to a marketing intelligence firm called Nacho Analytics. Nacho then published the browsing history where it was available to its paying subscribers.
What made the scheme so nefarious was that in some cases the published browsing history gave viewers unauthorized access to unprotected pages that included sensitive documents or accounts, such as tax returns or Nest cameras, a serious invasion of privacy. According to Ars Technica, the data published by Nacho Analytics included links to home and business videos hosted on Nest, tax returns hosted on Intuit, VIN numbers of recently purchased vehicles, health care records on DrChrono, private Facebook messenger photos, and travel itineraries on Priceline, Booking.com, and major airlines such as Southwest and United.
An investigation by Ars found that many of the extensions stated in either their terms of service or privacy policies that they collected and shared user data with third-parties, and Nacho Analytics claimed that all of its data came from users who had “opted-in”. However, it is well known that most consumers don’t actually read privacy policies before agreeing to them, often because these policies are so long and arcane that it would take hours if not days to make sense of them.
After being alerted to the data collection, Google removed seven extensions linked to DataSpii from its Chrome Web Store and Firefox disabled two. The full list of extensions found to be collecting and selling data includes Hover Zoom, SpeakIt!, Fairshare Unlock, PanelMeasurement, Panel Community Surveys, Branded Surveys, Savefrom.net Helper, and Super Zoom.
UK Privacy Watchdog Fines Marriott $123 Million for 2018 Data Breach
General Data Protection Regulation (GDPR) fines are starting to come fast and furious. Following closely on the heels of a record setting $230 million fine levied against British Airways, the UK’s Information Commissioner’s Office (ICO) announced that it will fine Marriott $123 million under GDPR for the company’s massive 2018 data breach that exposed the personal information of over 383 million customers worldwide.
With a major fine against British Airways and now Marriott in the span of just a few days, the UK privacy watchdog has made clear that it will vigorously pursue and impose fines for data breaches under the GDPR. In a statement, Information Commissioner Elizabeth Dunham said, “The GDPR makes it clear that organisations must be accountable for the personal data they hold...Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott first disclosed a massive breach of its Starwood reservation system in November of 2018, announcing that the breach exposed the personal and financial information of 500 million guests. That number was later revised to 383 million. The stolen reservation records included names, addresses, dates of birth, passport numbers, email addresses, phone numbers, and encrypted credit card numbers.
Marriott learned of the breach in September of last year. Initially, Marriott found a spyware tool known as a remote access trojan and a penetration tool called Mimikatz on the Starwood systems but found no evidence that customer data had been accessed. It wasn’t until November that Marriott discovered that hackers had access to the system since July 2014.
As with many other high profile breaches, it took Marriott months before they decided to alert customers or regulators to the breach. The scope and scale of the Marriott breach makes it one of the most egregious data security incidents in years.
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.
It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!