Consumer credit reporting agency Equifax announced last week that it expects various forms of punishment from the Consumer Financial Protection Bureau and the Federal Trade Commission over the credit reporting agency’s substantial data breach last year.
Equifax made the announcement in a regulatory filing with the Securities and Exchange Commission.
“Although we are actively cooperating with the above investigations and inquiries, an adverse outcome to any such investigations and inquiries could subject us to fines or other obligations, which may have an adverse effect on how we operate our business or our results of operations,” the company said in its SEC filing.
In September of 2017, Equifax, one of the largest credit reporting agencies in the country, admitted to a massive data breach. According to information from the company, “criminals exploited a U.S. website application vulnerability to gain access to certain files.” Those files included the names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers, of approximately 148 million consumers, Equifax stated.
In addition, the company said that the credit card numbers of approximately 209,000 U.S. consumers, and “certain dispute documents with personal identifying information” for approximately 182,000 U.S. consumers were also accessed in the breach.
According to Equifax, the CFPB and FTC have both notified the company that they expect to seek “injunctive relief damages” pursuant to the data breach. Beyond that, the CFPB plans to seek “civil money penalties,” the company said. The company added that it has submitted written responses to both agencies addressing the allegations and said that it continues to cooperate with the agencies in their investigations.
Shortly after Equifax first revealed the data breach, the CFPB indicated that it would begin an investigation. However, some reports at the time indicated that the bureau, then under the leadership of interim director Mick Mulvaney, had backed off the investigation. It now appears that the bureau, now headed by Kathy Kraninger, will indeed seek a fine, though the timing and amount of the fine are unknown.
In addition to the FTC, the SEC and the CFPB, Equifax reported that it is also facing investigations from 48 state Attorneys General offices, the Department of Justice, other U.S. state regulators, several Congressional committees, the Office of the Privacy Commissioner of Canada, and the U.K.’s Financial Conduct Authority. The company is also facing a number of lawsuits from cities, shareholders, and more than 1,000 lawsuits from consumers over the breach.