Equifax, one of the nation’s top three credit reporting agencies, agreed to pay up to $700 million to settle federal and state investigations into the 2017 hack that exposed Social Security numbers and other personal data of almost half the population of the U.S.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” Federal Trade Commission Chairman Joe Simons said in a statement. “Equifax failed to take basic steps that may have prevented the breach.”
The settlement requires Equifax to pay at least $575 million that includes $300 million for credit monitoring services, $175 million to states and $100 million in penalties to the Consumer Financial Protection Bureau. Another $125 million could be added to that if the initial amount is not enough to cover consumers' losses, bringing the total potential tab to up to $700 million.
Regulators accused Equifax of failing to patch a known security flaw that enabled hackers to swipe about 147 million names and dates of birth, 145.5 million Social Security numbers and 209,000 payment card numbers and expiration dates in 2017. It was one of the largest data breaches in U.S. history.
The FTC also said Equifax stored Social Security numbers and other consumer data in plain text files, which makes them more vulnerable to criminal activity. As part of the deal, Equifax agreed to meet a set standard for security systems and protocols.
"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company," Equifax CEO Mark W. Begor said in a statement.
Equifax said in May it had set aside $690 million in the first quarter to cover losses from the data breach. Begor said then that the company expects those funds to go toward losses connected with a “potential global resolution of the consumer class-action cases and the investigations by certain federal and state regulators.” According to the company, that amount did not include the company’s legal and professional services expenses.
The settlement will make available a total of $425 million for the time and money consumers spent to protect themselves from potential threats of identity theft, as well as losses stemming from identity theft, CFPB Director Kathleen Kraninger said in a statement.
“We encourage consumers impacted by the breach to submit their claims in order to receive free credit monitoring or cash reimbursements,” she said.
Information on submitting claims, including payment of $25 an hour for up to 20 hours consumers may have spent dealing with the breach, can be found at ftc.gov/Equifax. To check your eligibility, click here. To file a claim, click here.
The FTC also set up a "whistleblower" email address for Equifax employees to report violations of the agreement: firstname.lastname@example.org.
The regulator said it "encourages Equifax employees who believe the company is failing to adhere to its data security promise to email the FTC."