Equifax Will Fork Up to $700 Million to Compensate for 2017 Data Breach

Nearly two years after a catastrophic data breach compromised the sensitive personal information of more than 140 million people, credit reporting agency Equifax agreed to pay up to $700 million to help those consumers recover. 

Equifax struck a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories. The agreement is still subject to approval by a federal court, according to an FTC statement issued Monday.

“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” FTC Chairman Joe Simons said in a statement. “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

The FTC alleges that the company failed to implement basic security measures, which ultimately allowed bad actors to access a staggering amount of consumer data in 2017. In March of that year, Equifax was alerted to a critical security vulnerability in a specific database holding troves of personal credit information, but by July the database remained unpatched. Hackers were able to access an unsecured file with administrative credentials inside it, which then allowed them to retrieve customers’ personal information while operating undetected on the company’s networks for months. 

Once Equifax’s security team detected suspicious traffic within its network, it was too late. 

“[H]ackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates,” FTC said. 

According to the proposed settlement, the company has agreed to allocate at least $300 million, and up to $425 million, into a fund that will provide consumers impacted by the breach with credit monitoring services. It also aims to compensate individuals who bought their own monitoring services to protect themselves after the breach, offering to pay $125 to those who personally funded at least six months of such services. 

In a statement, Equifax Chief Executive Officer Mark Begor said the consumer fund “reinforces [the company’s] commitment to putting consumers first and safeguarding their data—and reflects the seriousness with which we take this matter.”

Those impacted by the breach may also be eligible to receive up to $20,000 in reimbursements for the time and money they spent to protect themselves or recover from identity theft, and for 25% of what they paid for Equifax credit monitoring or identity protection products they paid for during the year before the breach was announced.

While those affected cannot file a claim just yet, FTC said they can sign up for email alerts about the settlement to stay up to date on the latest information around how to proceed. The claims process will likely begin following court approval. 

Equifax also said it would pay $175 million to 48 states, the District of Columbia and Puerto Rico, and $100 million to the CFPB in civil penalties. And starting in January 2020, the company will offer all U.S. consumers six free credit reports each year for seven years. 

On top of providing financial relief, the company must also implement “a comprehensive information security program” through which it will designate an employee to oversee the information security program, conduct assessments of internal and external security risks, and implement safeguards to address potential threats and vulnerabilities, among other measures. 

And lawmakers from both chambers were quick to weigh in on the settlement—a few issuing harsh statements that it does not go far enough to make up for the lifelong detrimental impacts such breaches have on American consumers.  

“This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC’s ability to seek strong penalties and effective redress for consumers,” Energy and Commerce Committee Chairman Rep. Frank Pallone, Jr., D-N.J., said in a statement. “It also shows that we need a comprehensive data privacy and security law to ensure companies are designing their systems to protect consumer privacy from the start, minimizing the personal information they keep, and are held appropriately accountable if they fail.”

Sen. Mark Warner, D-Va., who is co-sponsoring a bill that would hold credit reporting agencies more accountable for data breaches, also called for steeper penalties on credit bureaus that fail to secure American’s sensitive personal data. 

“While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again,” Warner said in a statement.