Equifax agreed to pay at least $575 million to the US Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 states over its massive 2017 data breach. If that isn’t enough compensate people impacted by the breach, the credit reporting company could have to pay up to $700 million — a figure we on Friday.
The settlement is made up of $300 million for a fund providing impacted consumers with credit monitoring services, and compensate those who bought credit or identity monitoring services in the wake of the breach. If that doesn’t cover the losses, Equifax will add up to $125 million to the fund. It’s also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million in civil penalties to the CFPB.
Hackers House Oversight Committee report called the breach “entirely preventable,” saying Equifax didn’t and wasn’t prepared for the aftermath.— including Social Security numbers and home addresses — of nearly 148 million Americans from Equifax’s servers in a data breach that ran from May and July 2017. A December 2018
New York Attorney General Letitia James criticized Equifax for “putting profits over privacy and greed over people.”
“This company’s ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population,” she said in a statement.
Equifax CEO Mark Begor said in a release that the settlement is “a positive step” for US consumers and the company.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” he said.
First published at 5:02 a.m. PT.
Updated at 5:50 a.m. PT: Adds more detail.