Equifax has agreed to a settlement over its 2017 data breach that saw as many as 147 million people’s personal information, including names, birth dates, addresses, and social security numbers, exposed by the company. As part of the settlement, the company will pay at least $575 million, but this could rise to as much as $700 million depending on the amount of compensation people claim. The company has agreed to provide free credit monitoring services to anyone affected for up to 10 years, as well as cash payments of up to $20,000 per person to refund any costs incurred as a result of the breach.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” said FTC Chairman Joe Simons, “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” New York Attorney General Letitia James added in a statement to Reuters.
The breach, which has been called one of the worst in US history, was disclosed in September 2017 after Equifax failed to patch a vulnerability it was made aware of in March that year. Although its security team initially ordered for the vulnerability to be patched, it never followed up to make sure this had actually happened. The company’s former CEO later blamed a single employee for this.
The continued existence of the vulnerability allowed hackers to access Equifax’s servers where they obtained an administrator’s credentials stored in plain text. They could then use this to gain continuous access and to steal the personal information of millions of people over the course of months.
In total the breach, exposed 147 million people’s names and dates of birth, 145.5 million social security numbers, and 209,000 payment card numbers and expiration dates. The Wall Street Journal notes that many of these people would not even have been customers of Equifax, since the company makes a lot of its money from selling credit reports and other products to lenders to evaluate their potential customers.
As well as paying money out to anyone affected by the breach, Equifax has also agreed to a number of internal measures to prevent such a breach from happening again. For example, it has agreed to conduct an annual internal assessment of security risks, and to obtain a third-party assessment every two years. The FTC has even set up a dedicated email for Equifax whistle-blowers to use if they don’t think the company is adhering to its data security obligations.
The FTC has set up a page on its site to provide information to people who want to make a claim against Equifax.