Consumer credit bureau Equifax has reached a deal with state and federal regulators to pay at least $650 million related to a 2017 data breach that exposed the personal data of close to 150 million Americans.
The settlement, announced by the Federal Trade Commission on Monday, has to receive approval from a federal court. It requires the company to create a fund of at least $300 million and up to $425 million for consumers affected by the hack. The amount of money in the restitution fund could change depending on the number of people who file claims saying they were harmed by the 2017 data breach.
The Atlanta-based company also agreed to pay $175 million in fines to the 48 states, the District of Columbia, and Puerto Rico that investigated the hack, which exposed the names, birth dates, Social Security numbers, addresses, and other information of millions of consumers.
In addition to settling the investigations from the states, the deal also ends probes from the Federal Trade Commission, which oversees enforcement of federal privacy regulations, and the Consumer Financial Protection Bureau. The Federal Trade Commission alleged that Equifax violated its prohibition against unfair and deceptive practices.
“Companies that profit from personal information have an extra responsibility to protect and security that data,” said Federal Trade Commission Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Beyond the monetary relief Equifax has agreed to provide consumers, the company also must create an information security program and conduct annual assessments of its security risks.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said New York Attorney General Letitia James, who helped lead the coalition of 50 attorneys general, in a statement. “This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population.”
Equifax CEO Mark Begor said the settlement is a “positive step for U.S. consumers and Equifax.”
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” he said.
The data breach occurred in the summer of 2017 but wasn’t disclosed by Equifax until that September. It came after the company failed to patch a software vulnerability despite being warned about it in March 2017.
After the breach was disclosed to the public, Equifax came under intense scrutiny from Congress, which in recent years has placed a heightened focus on data security. Its CEO, Richard Smith, stepped down amid the backlash and Equifax named Begor as its new chief in March 2018.
