Equifax has agreed to pay as much as $700 million to settle a series of state and federal investigations into a massive 2017 data breach that left more than 147 million Americans’ Social Security numbers, credit-card details and other sensitive information exposed.
The punishment includes payments to affected consumers, fines to peeved regulators and a host of required changes to the credit-reporting agency’s business practices, government officials said Monday, as they faulted Equifax for putting more than half of all U.S. adults at risk for identity theft and fraud.
“This is the largest data breach settlement in U.S. history,” said Pennsylvania Attorney General Josh Shapiro.
“These data breaches occur because of corporate greed. Corporate leaders decided to put an extra dollar of profit into their pocket, as opposed to that dollar going into the infrastructure of the company to protect their data.”
“This data breach was astonishing, not only because of the number of consumers affected, but also because of the key personal information that it exposed,” Iowa Attorney General Miller said in a statement Monday.
“This agreement offers financial reimbursement for victims and will help protect against another breach.”
Under an agreement with the attorneys general from Iowa and 47 other states as well as the District of Columbia and Puerto Rico, Atlanta-based Equifax will set aside up to $425 million to reimburse victims of the breach, including those who experienced identity theft.
ARTICLE CONTINUES BELOW ADVERTISEMENT
Equifax also will offer 10 years of credit-monitoring services to consumers who have been harmed, invest more heavily in its own cybersecurity and pay $175 million to the states themselves, officials said.
Mark W. Begor, Equifax CEO, touted cybersecurity improvements it made after the breach.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” he said in a statement.
The Equifax breach, which the credit-reporting agency first acknowledged in September 2017, amounted to one of the worst security incidents in U.S. history given the number of Americans affected and the sensitivity of the information that hackers were able to access.
Names, home addresses and birth dates were left exposed, and in some cases, Americans’ driver’s license numbers were left vulnerable to theft, too.
Consumers who might be eligible for redress will be required to submit claims online, by mail or by phone, Miller’s office said. Consumers should sign up at www.ftc.gov/Equifax or call 1-833-759-2982 for more information.