WASHINGTON–Equifax has reached an agreement with the Federal Trade Commission to pay up to $700 million to state and federal regulators in order to settle investigations into its massive 2017 data breach.
That breach is suspected to have involved the exposure of the personal information of nearly 150 million people.
According to the FTC, Equifax will pay between $300 million and $425 million to compensate those who were affected by reimbursing people who purchased credit- or identity-monitoring services as a result of the data breach. The relatively wide range of the settlement is due to uncertainty around the number of claims that could be provided by consumers.
In addition, Equifax will also pay $275 million in civil penalties and other compensation to 48 states, Washington, Puerto Rico and the Consumer Financial Protection Bureau.
Changes Required
As part of the settlement, the FTC said Equifax must make changes in how it handles private consumer data. Equifax is required to adjust its information security protocols, including annual assessments of security risks and receiving the board's certification attesting that the company has complied with the FTC's order.
The FTC had alleged Equifax violated the agency's prohibition against unfair and deceptive practices by failing to properly safeguard consumers’ personal information even though its privacy policy stated it had implemented "reasonable physical, technical and procedural safeguards" to protect their data.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," said FTC Chairman Joe Simons in a statement. "Equifax failed to take basic steps that may have prevented the breach."
Detailed Information
As CUToday.info reported, the breach is believed to be the largest in U.S. history and included names, Social Security numbers, drivers' license numbers and addresses.
According to the company and investigators, the hackers were able to penetrate the system by taking advantage of a security flaw in a tool designed to build web applications. Equifax later admitted it was aware of the security flaw a full two months before the company said hackers first accessed its data.
While the FTC has settled its case, numerous civil lawsuits are pending.