By Christian Hetrick
Equifax has agreed to pay up to $700 million to settle federal and state investigations into a 2017 data breach that exposed Social Security numbers and other sensitive information for nearly 150 million people.
The proposed settlement, announced Monday, would be the largest ever paid by a company over a data breach. The deal with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories would require Equifax to pay $300 million into a fund that would provide credit monitoring services and other compensation to affected consumers. The credit bureau would add $125 million to that fund if needed.
In addition, Equifax has agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. The company must also spend at least $1 billion to improve its data security, according to a settlement filed in a class-action lawsuit against Equifax.
Hackers gained access to the Equifax network in May 2017 and attacked the company for 76 days, according to a House Oversight Committee report. Equifax noticed "red flags" in late July, and then in early August contacted the Federal Bureau of Investigation, outside counsel and cybersecurity firm Mandiant. The company waited until September to inform the public of the breach.
The hackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates, according to the FTC. The breach affected 5.5 million Pennsylvanians, according to the state Attorney General's Office.
Federal and state investigators claimed the credit reporting agency failed to secure the massive amount of personal information stored on its network. Equifax was allegedly alerted in March 2017 of security vulnerability on its database that handles inquiries from consumers about their personal credit data. Equifax's security team ordered that vulnerable systems be patched, but there was no follow-up to ensure the order was carried out, the FTC said.
Equifax did not patch the vulnerability for 145 days, said Pennsylvania Attorney General Josh Shapiro, who said his office was among the first states to investigate the breach.
"If someone breaks your front door down, you don't wait 145 days to put up a new door with a working lock," Shapiro said during a conference call with reporters. "Equifax's failure to act left their systems susceptible to attack, and sure enough, just two months later... their systems were breached."
In a statement, Equifax CEO Mark W. Begor called the settlement settlement "a positive step for U.S. consumers and Equifax."
"The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data -- and reflects the seriousness with which we take this matter," Begor said. "We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth."
The proposed settlement must still be approved by a federal judge in Georgia.
Affected consumers would be eligible to receive up to $20,000 if they file claims for time and money they spent due to the breach, including reimbursements for credit monitoring, identity theft protection, and freezing or unfreezing credit reports, the CFPB said.
In addition, all affected consumers would be eligible to receive at least 10 years of free credit-monitoring and at least seven years of free identity-restoration services. For seven years starting on Dec. 31, all U.S. consumers can request up to six free copies of their Equifax credit report during any 12-month period, the CFPB said.
If the court approves the settlement, consumers can submit a claim online at www.EquifaxBreachSettlement.com.
Bloomberg contributed to this report.
(c)2019 The Philadelphia Inquirer