The breach – which continued for 76 days – exposed the personal information of nearly 150 million Americans. That included Social Security numbers, birth dates, addresses, credit card numbers and, in some cases, driver’s license numbers – much of that data potentially valuable for years or even decades to come.
Equifax did not announce that the data had been accessed until early September 2017, weeks after discovering the electronic invasion.
The company's response drew outrage from consumer groups. Congressional hearings were held, and a number of top executives – including CEO Rick Smith – took early retirement. Several other lower-level executives were charged with insider trading for stock trades made before the breach was publicly revealed.
Initially, it seemed the fury threatened the company's survival. While Equifax stock did take a hit, it has been slowly recovering. Shares of the company had been trading at $141.59 before the announcement of the breach. Afterward, the price plummeted 34%. Equifax closed the trading day Monday just below $138 a share.
At the end of the past fiscal year, Equifax reported net income of about $300 million on revenues of $3.4 billion. It is slated to report its most recent quarterly earnings later this week.
Ultimately, Congress took no action against the company.
The deal announced Monday also would require Equifax — which is offering free credit monitoring through this year for those who signed up — to make it easier for consumers to freeze and thaw credit. It would also require the company to hire more staff to help victims of identity theft, reorganize its data security team and to minimize its use of sensitive data, according to Carr, Georgia's attorney general.
It’s a “fair and appropriate settlement, ensuring substantial consumer relief and requiring the implementation of robust security measures to protect against future exposure of consumers’ private data,” said Carr.
Georgia will receive $7.2 million from Equifax as part of the settlement, he said.
Unless a federal judge sees reason to object, the agreement seems likely to take effect.
Attorneys at the Atlanta-based Barnes Law Group, who represent plaintiffs, said Monday they were filing a motion asking the court to accept the settlement of the case.
Liz Coyle, executive director of Georgia Watch, said the settlement is large enough to prove the agencies and attorneys general are serious about keeping credit agencies accountable. "I believe the magnitude fits the severity of the incident," she said. "The intent is to ensure that this never happens again."
After the breach was revealed, critics charged Equifax with fostering a corporate culture that put the priority on profits, not on protection.
Asked about that Monday, Begor — who became the company's chief executive in early 2018 — talked about company investments since the breach.
“It’s hard for me to talk about the culture before I joined the company, but I’ve been very clear,” he said. “Culturally, when I joined the company, we made it clear that we were putting consumers first. We want to put the consumer first, and the security first and the technology first.”
The company has added several top positions in security and technology. In addition to the settlement payments announced Monday, Equifax will continue to make improvements part of a $1.25 billion investment, Begor said. “I hope that speaks volumes about the culture we have in place today for Equifax.”
Hackers generally steal information either to resell it for profit, or — when it’s a government hacker — to use it against an enemy.
If the Equifax breach was about money, there’s been no sign of that yet, Begor said.
However, unlike hacks of credit card numbers, personal data may be valuable for many years, experts said.
“We continue to monitor the dark web and identity theft,” Begor said. “And to date, we haven’t seen any evidence of our data being sold or an increase in identity theft.”
Equifax settlement: Why it matters
Equifax is the largest of the three major credit agencies. It collects and sells access to personal data on more than 100 million Americans. If there’s a breach, that information could be used to steal identities or ruin a person’s credit.
The settlement announced Monday offers consumers a chance to check on their data and – if they go through the right process – receive compensation for being ripped off.
Equifax is one of the largest financial firms based in Atlanta, with about 2,800 employees here. The company has 11,000 employees worldwide.