Equifax will pay up to $700 million to settle with the Federal Trade Commission (FTC) and others over the 2017 data breach that exposed the private data of nearly 150 million people.
The settlement with several federal and state authorities, and claimants in a class-action lawsuit, draws a line under one of the largest breaches of US consumer data.
Joseph Simons, chairman of the FTC, said the company had “failed to take basic steps” that could have prevented the “massive data breach”.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” he said.
The resolution with the FTC, Consumer Financial Protection Bureau, 50 state attorneys-general and class-action claimants, requires Equifax to pay $380m into a fund to compensate affected consumers, $80m of which will be for attorneys’ fees.
Equifax will also pay $290m in CFPB and state penalties, including $10m to the New York Department of Financial Services, and make available an extra $125m for the fund if it is used up.
Mark Begor, Equifax chief executive, said he did not expect the company to make additional payments into the fund beyond the original amount.
“We expect this will be enough, but we have made more money available because we recognise it may be necessary,” he told reporters.
The settlement comes two years after the breach in July 2017, when hackers were able to steal data including social security numbers after Equifax failed to patch its systems, the FTC said. The company had been warned of a security vulnerability in March that year but failed to take action until the hack.
“Hackers were able to access a staggering amount of data because Equifax failed to implement basic security measures,” the FTC said on Monday.
The names and dates of birth of at least 147m Equifax customers were stolen in the hack, as well as 145.5m social security numbers and 209,000 payment card numbers and expiration dates.
Equifax was forced to scrap executive bonuses and suspend share buybacks last year, in anticipation of fines and lawsuits resulting from the hack.
Mr Begor said on Monday that Equifax had seen “no evidence” of the hacked personal information being sold online.
The deal will require Equifax to boost its cyber security systems and obtain third-party assessments of its processes every two years. It also forces the company’s board to certify annually that it is complying with the settlement, a move that would make directors personally liable, FTC officials said.
The total sum for which Equifax is liable is more than double its 2018 net income of $300m — though substantially less than the $3.4bn in revenue it recorded last year. FTC officials said Monday that they weighed up Equifax’s ability to pay while continuing to invest in cyber security when deciding the appropriate penalty.
“We do want to make sure that we’re not bankrupting the company,” said Maneesha Mithal, director of the division of privacy and identity protection at the FTC.
Last September, UK regulators fined Equifax £500,000, the maximum penalty allowed by law at the time of the hack, after it was revealed hundreds of thousands of British customers had also been affected. The UK Information Commissioner’s Office said Equifax had collected British customer data and stored it in the US.
Victims of the Equifax breach may be entitled to some benefits, the FTC said in a statement.