Equifax to pay up to $700 million to settle government investigations into 2017 security breach

  • Equifax will pay up to $700 million to settle with the Federal Trade Commission and others over a 2017 data breach that exposed Social Security numbers and other private information of nearly 150 million people. The proposed settlement with the Consumer Financial Protection Bureau, if approved by the federal district court Northern District of Georgia, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.

    Equifax will pay up to $700 million to settle with the Federal Trade Commission and others over a 2017 data breach that exposed Social Security numbers and other private information of nearly 150 million people. The proposed settlement with the Consumer Financial Protection Bureau, if approved by the federal district court Northern District of Georgia, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief. Associated Press/July 21, 2012

 
 
Updated 7/22/2019 8:37 AM

Equifax has agreed to pay as much as $700 million to settle a series of state and federal investigations into a massive 2017 data breach that left more than 147 million Americans' Social Security numbers, credit-card details and other sensitive information exposed.

The punishment includes payments to affected consumers, fines to peeved regulators and a host of required changes to the credit-reporting agency's business practices, government officials said Monday, as they faulted Equifax for putting more than half of all U.S. adults at risk for identity theft and fraud.

by signing up you agree to our terms of service
                                                                                                                                                                                                                       
 

"This is the largest data breach settlement in U.S. history," said Pennsylvania Attorney General Josh Shapiro. "These data breaches occur because of corporate greed. Corporate leaders decided to put an extra dollar of profit into their pocket, as opposed to that dollar going into the infrastructure of the company to protect their data."

Under an agreement with the attorneys general from 48 states as well as the District of Columbia and Puerto Rico, Equifax will set aside up to $425 million to reimburse victims of the breach, including those who experienced identity theft. Equifax also will offer 10 years of credit-monitoring services to consumers who have been harmed, invest more heavily in its own cybersecurity and pay $175 million to the states themselves, officials said. They described the penalty as the most significant they've ever levied in response to an organization that broke state data-security laws.

Equifax also has agreed to pay an additional $100 million to settle a federal investigation at the Consumer Financial Protection Bureau, which probed the matter alongside the Federal Trade Commission, the agencies said Monday.

Equifax did not respond to a request for comment.

The Equifax breach, which the credit-reporting agency first acknowledged in September 2017, amounted to one of the worst security incidents in U.S. history given the number of Americans affected and the sensitivity of the information that hackers were able to access. Names, home addresses and birth dates were left exposed, and in some cases, Americans' driver's license numbers were left vulnerable to theft, too.

                                                                                                                                                                                                                       
 

The breach enraged lawmakers, regulators and victims because Equifax, as one of the country's three major credit reporting bureaus, plays a central role in determining Americans' financial futures - from whether a person can obtain credit to the interest rate they pay on their mortgage. Yet Equifax still failed to adopt even the most elementary cybersecurity protections, putting Americans' financial livelihoods at risk.

For years, many of Equifax's sensitive computer systems had not been patched against known digital vulnerabilities, according to state, federal and congressional investigators, who began issuing their findings earlier year. More than 8,500 security fixes, or patches, never were made to known vulnerabilities as far back as 2015, defying industry best practices, lawmakers found. It took Equifax 76 days just to notice it had been breached in 2017, despite the fact that it had been well-aware of a major vulnerability in its computer systems months before the incident occurred, state officials said Monday.

For two years, Democrats and Republicans on Capitol Hill lashed Equifax executives at a series of hearings. Its chief executive at the time quickly resigned. Other Equifax executives soon found themselves in their own legal trouble: The Justice Department later determined that the credit reporting agency's chief information officer sold his stock in advance of Equifax's official announcement. The executive, Jun Ying, was sentenced for insider trading, making him the second Equifax official to be found guilty of such charges.

"This company's ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population," said New York Attorney General Letitia James. "Now it's time for the company to do what's right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future."

0 Comments
                                                                                                                                                                                                                       
 
Article Comments ()
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the X in the upper right corner of the comment box. To find our more, read our FAQ.