Equifax has agreed to pay up to $700 million in a settlement over a 2017 data breach that exposed the records and social security numbers of at least 147 million people, according to The Guardian.
The incident was among the largest ever breaches of private data, and the settlement will be the largest of its kind ever paid to the FTC over a data breach. The credit score agency has already been issued a £500,000 fine from UK regulators, with 15 million UK citizens affected by the breach.
The FTC says Equifax failed to patch its systems even after it was warned they were vulnerable, and much of the data was stored as plain, unencrypted text.
As part of the new settlement, the company has agreed to conduct an annual audit of its own security measures, allow an external compliance assessment every two years, and ensure third parties that access its data are taking adequate steps to protect data security.
Out of the settlement payment, up to $425 million will provide monetary relief and identity theft services to affected consumers, while $100 million will go toward a civil penalty paid to the Consumer Financial Protection Bureau. The rest will be divided between the 50 US states and territories involved in the settlement.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” according to FTC chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
At least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 card numbers and expiration dates were revealed in the breach.
Victims will be eligible for compensation for any spending on credit monitoring and identity theft protections following the breach, and any costs associated with freezing or unfreezing credit reports. They will also be offered ten years of free credit-monitoring and seven years of identity theft restoration services.
Equifax has said that it’s set aside about $700 million to cover the expected settlement and fines.