Equifax Agrees to $700 Million Settlement After Huge Hacking Incident Hit Consumers

WASHINGTON – Credit reporting giant Equifax Inc. signed a settlement Monday in which it agreed to pay as much as $700 million to resolve government and consumer complaints resulting from a data breach that exposed the personal financial information of most of the U.S. adult population.

The settlement follows investigations by the Federal Trade Commission, Consumer Financial Protection Bureau and all 50 state attorneys general. Consumers filed thousands of private lawsuits that were consolidated into a class action.

The agreement with the Federal Trade Commission awaits approval by a judge in the U.S. District Court for the Northern District of Georgia, where the case is pending.

“This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” Federal Trade Commission Chairman Joe Simons said in a statement.

The Federal Trade Commission blamed much of the heavy penalty on Equifax’s negligence in failing to fix a known security hazard.

A security flaw in the company’s Apache Struts program was detected by engineers but continued for two months before the 2017 data breach, despite the availability of a software patch, the Federal Trade Commission reported.

A hacker who exploited the flaw then was able to steal records of more than 146 million users by gaining access to the Equifax system.

The breached information included Social Security numbers, names, birth dates, phone numbers, email addresses and drivers license records. The hackers also accessed 209,000 payment card numbers and expiration dates.

The Federal Trade Commission reported that Equifax stored many network credentials, passwords and Social Security numbers in plain text files where they were easily susceptible to cybercrime.

The agreement would allocate about $300 million for consumers affected by the data breach. Another $100 million would be paid to the Consumer Financial Protection Bureau for civil penalties. All 50 states, the District of Columbia and Puerto Rico would share $175 million of the compensation, Equifax said in a press release.

The company agreed to an additional $125 million payment if more than seven million

consumers file claims showing the original amount of compensation was inadequate.

Other parts of the agreement would give all U.S. consumers six free credit reports per year for seven years. Equifax also agreed to annual tests of its cybersecurity, to add more safeguards to its computers and to certify its compliance annually with the consent agreement.

The damage to the company goes far beyond the enormous penalties in the settlement agreement.

Equifax’s chief executive was forced into resignation, two of its top executives received prison sentences for insider trading, its credit rating suffered and legal fees reached into millions of dollars. The company spent millions more trying to strengthen its cybersecurity.

“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics and technology company,” Equifax Chief Executive Officer Mark W. Begor said in a statement.

Consumers who can prove they spent time trying to correct problems created by the data

breach can receive compensation as high as $20,000 per person. The compensation would be calculated at $25 per hour up to 20 hours.

The claims process is scheduled to open after court approval of the settlement. More information can be found on the Federal Trade Commission website at https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement