Equifax agreed to pay $575 million, and possibly as much as $700 million, over its 2017 hacking incident.
The settlement includes $300 million for a fund to provide restitution to consumers harmed by the hack, a payment of $175 million to 48 states, the District of Columbia, and Puerto Rico, and penalties of $100 million to the Consumer Financial Protection Bureau. Equifax will add up to $125 million to the fund if the initial $300 million is not enough to compensate victims. Consumers who were affected by the hack can seek cash reimbursement of up to $20,000, including time spent dealing with identity theft, the FTC said.
The settlement resolves consumer class action litigation, as well as investigations by the Federal Trade Commission, the CFPB, and the New York Department of Financial Services. In its complaint, the FTC alleged that Equifax failed to secure the massive amount of personal information stored on its network, including names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.
In a statement, Attorney General Karl Racine said the settlement was the largest ever for a data breach. Hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates. Hackers accessed the data because Equifax failed to implement basic security measures, according to the complaint.
Under the settlement, Equifax agreed to improve data security, including assigning staff. The company would also be subjected to third-party monitoring every two years.
Victims of the hack can receive four years of free credit monitoring at all three credit bureaus or an additional six years of free credit monitoring of their Equifax credit report. Data connected to the hack has never been found on the dark web, and intelligence experts have said they think it was likely stole by foreign intelligence agents.
Smith Collection/Gado/Getty Images