WASHINGTON, United States, Jul 22 – US credit monitoring agency Equifax agreed to pay up to $700 million in a settlement stemming from a data breach that affected nearly 150 million customers, regulators said Monday.
The biggest-ever penalty in a data breach case was announced by the Federal Trade Commission and state regulators after revelations that hackers had stolen the personal details, including names, dates of birth and social security numbers, of millions of people.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC chairman Joe Simons said in a statement announcing the settlement.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” he added.
The settlement, subject to court approval, calls for at least $300 million of the penalty to go to affected consumers, and to provide extra credit monitoring beyond what the company has already offered. Additional money will be added to this consumer fund based on the number of claims filed, officials said.
“As part of our settlement, Equifax will provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future,” said New York state Attorney General Letitia James, one of the state regulators in the case.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk.”
Some $175 million will be paid to states joining the litigation and $100 million in civil penalties to the federal government.
While Equifax does not deal directly with consumers, it handles sensitive information on them to help lenders determine borrowers’ creditworthiness in the United States and some other countries including Britain. It is one of three large credit-reporting agencies in the United States.
The FTC said that Equifax learned of a vulnerability in its network in March 2017 but failed to patch its network or notify consumers until later in the year.
Origin remains unclear
While not the largest breach – attacks on Yahoo leaked data on as many as one billion accounts – the Equifax incident could be the most damaging because of the nature of data collected: bank and social security numbers and personal information of value to hackers and others.
It remains unclear who was behind the Equifax hack, but some experts said it appeared to be the work of a state-sponsored actor.
Equifax chief executive Mark Begor said in a statement: “This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company.”