Credit monitoring firm Equifax has agreed to pay up to $700 million to settle investigations from U.S. regulators and state attorneys stemming from the 2017 data breach that compromised personal information about 147 million people.
The penalty includes payments of $425 million to affected customers, $100 million in payments to 48 states, the District of Columbia and Puerto Rico, and also a payment of $100 million to resolve a federal investigation from the U.S. Consumer Financial Protection Bureau, which examined the company in cooperation with the Federal Trade Commission, regulators said Monday.
The deal is the largest settlement resulting from a data breach in U.S. history. It comes nearly two years after Equifax revealed hackers had accessed U.S. citizens’ Social Security numbers, credit data, addresses, birth dates and some driver’s license numbers because of flaws in the company’s technology.
Attorneys are scheduled to propose the deal to a court in Atlanta on Monday. The announcement confirms a previous report from the Wall Street Journal.
The hack, announced in September 2017, occurred earlier that year after Equifax failed to implement a security update in Apache Struts web application software, a system that included known flaws. In fact, the firm had failed to install more than 8,500 fixes dating back to 2015, according to congressional findings made public earlier this year. Then, it took Equifax 76 days to detect that a breach had occurred in what has become an oft-cited example among corporate executives on how not to run a security program.
Richard Smith, the chief executive at the time, resigned from his position weeks after the incident was disclosed. Last month, a court in the Northern District of Georgia sentenced Jun Ying, Equifax’s former chief information officer, to four months in prison for selling Equifax stock before the breach was announced.
“The company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” New York Attorney General Letitia James said in a statement Monday. “Now it’s time for the company to do what’s right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future.”
As part of the settlement, Equifax also must spent $1 billion to improve its digital systems. Necessary upgrades include encrypting personal information under the company’s control, adopting two-factor authentication and password rotation policies, performing regular simulated exercises meant to probe Equifax’s ability to respond to another breach and employing new patch management policies.
The incident still is having an impact on the way Equifax does business, even though the company’s stock has recovered. Financial ratings agency Moody’s downgraded its outlook for Equifax in May from “stable” to “negative,” citing the $1 billion price tag on security updates. Meanwhile, Equifax rivals Experian and TransUnion will have more money to invest in new opportunities and absorb market share from Equifax.
The proposed settlement is available in full below.