Biggest Data Breach Settlements: Equifax, Experian, Anthem, Target

Crime

Biggest Data Breach Settlements: Equifax, Experian, Anthem, Target
Graphic: Nathaniel Blug

November 15, 2019

Hardly a week goes by without word of a new data breach. Some data breaches are perpetrated by bad actors, such as hackers who steal data for purposes of committing identity theft or fraud. In almost half of the cases, however, breaches are accidental exposures in which information is not properly secured and is unintentionally accessed by those who shouldn’t see it.

Many consumers may be aware of the Equifax data breach settlement, the largest to date. Equifax settled for $575 million with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories after its neglected system maintenance led to the exposure of sensitive records of 147 million U.S. consumers.

What are the biggest data breaches and settlements?

A data breach happens when unauthorized individuals gain access to a company’s database and are able to view and/or steal sensitive information, such as passwords, credit card numbers, Social Security numbers, medical records or other personal information.

Data breaches date back to at least 2005, when hackers stole 1.4 million credit card records from DSW Designer Shoe Warehouse. By today’s standards, that number seems small—but at the time, it was the first major data breach to affect more than a million accounts. Since then, the problem has exploded, as hundreds of millions of records are regularly stolen from businesses or exposed. Companies that have lost more than 500 million records in breaches include Yahoo, Facebook, Verifications.iO, Online Spambot and Marriott-Starwood. One of the largest data breaches against a U.S. bank happened earlier this year, when hackers stole the personal data of more than 100 million people from Capital One.

The data breach problem is growing faster than it can be solved, and it comes at a high cost to consumers and companies. About 3.35 billion records were compromised globally—a jump of 72%—between the first half of 2017 and the first half of 2018. Now, almost 6 million records are lost or stolen every day. The average data breach involves 25,575 records and costs $3.92 million to address, and it takes an average of almost 300 days to identify and contain a breach.

“The number of reported breaches affecting online businesses is increasing,” said Beverly Harzog, credit card expert and consumer finance analyst for U.S. News & World Report. “When EMV credit cards hit the scene, it was predicted that fraud would shift online because this technology made it difficult to clone credit cards. The fraudsters move toward the easiest point of entry.”

The settlements that breached companies must pay have also been getting bigger. Some of the biggest breach settlements include $575 million from Equifax; $230 million from British Airways; $148 million from Uber; $124 million from Marriott International; $85 million from Yahoo; $21 million from Tesco Bank; $18.5 million from Target; and $16 million from Anthem.

Equifax data breach settlement

In 2017, credit monitoring bureau Equifax failed to patch a known vulnerability in its data-management system, which led to the exposure of the personal information of about 147 million U.S. consumers.

A $575 million settlement allows affected consumers to file claims for free credit monitoring. Anyone wishing to file a claim must do so by Jan. 22, 2020.

The way the breach settlement has proceeded highlights how difficult it is to handle consumer compensation. Initially, filers were able to seek cash, in the form of a $125 flat fee, in lieu of credit monitoring. However, overwhelming response forced Equifax to remove that option. The claim website for breach victims has also experienced operational problems and has (ironically) given rise to impostor sites and phishing attempts.

Experian data breach settlement

A 2015 breach of credit monitoring bureau Experian exposed information of 15 million consumers, including names, addresses, Social Security numbers, driver’s license numbers and passport numbers. In early 2019, the company reached a $22 million settlement in a class action lawsuit resulting from the breach. Those affected could apply for two years’ worth of free credit monitoring and up to $40 in cash. Those who spent time dealing with the breach were also able to apply for compensation to make up for that time. All settlement reimbursements and other payouts have been distributed.

Anthem data breach settlement

The health benefit company announced in February 2015 that a data breach resulted in the theft of information of about 79 million people, potentially including their names, birth dates, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information. Anthem Inc. and other health benefit companies that were associated with the stolen data agreed to a settlement of $115 million in the resulting class action lawsuit. Eligible members of the lawsuit received either free credit monitoring services or up to $36 cash to pay for an alternate credit monitoring service, free fraud resolution services, or cash reimbursement for expenses relating to the breach. Funds were distributed to claimants in December 2018.

Target data breach settlement

In December 2013, retail giant Target announced that a data breach had exposed the personal information, such as names, addresses and phone numbers, of 70 million U.S. consumers, as well as 40 million credit card numbers. The hackers gained access to Target’s point-of-sale system and took customer magstripe data that can be used to make counterfeit cards. Target agreed to pay a settlement of $18.5 million to 47 states and the District of Columbia. As a result of the data breach, the retailer was also required to hire someone to manage a “comprehensive information security program” to improve its data security.

Conclusion

It’s nearly impossible to keep tabs on the number of data breaches and settlements happening on a monthly basis—and it’s very possible your data may have been exposed without you even being aware of it (you can check here).

But keep an eye out for news regarding companies you’ve done business with. You may want to peruse the FTC’s news feed or follow Data Breach Today to stay in the loop.

“It’s essential to be proactive,” said Harzog. “As soon as you hear of a breach that might affect you, check your online accounts for fraudulent purchases and change your passwords. Also, get your free credit reports and review them for fraudulent accounts.”

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.