The Atlanta-based credit reporting agency Equifax will pay at least $600 million to settle litigation over a 2017 data breach that exposed the personal details of nearly 150 million people, said Georgia Attorney General Chris Carr.
Most of the settlement announced Monday would go toward a $425 million restitution fund to repay consumers for costs linked to the breach. Another $175 million payment will go to state authorities, including $7.2 million for Georgia.
Carr’s office said it was the largest ever data breach enforcement action, and listed a series of steps Equifax agreed to take to toughen up its data. Still, it’s less than other recent corporate penalties, including the record $1 billion fine that Wells Fargo agreed to pay.
The breach, one of the largest of its kind, exposed the Social Security numbers and driver’s license data of roughly 148 million people. The company didn’t discover it for 76 days and it was not revealed to the public until September 2017.
Those revelations set off a political outcry that led to the departure of several top company officials, including chief executive officer Richard Smith, who was also grilled in a Congressional hearing.
Several other Equifax executives have been charged with insider training, and two pleaded guilty. A recent company filing revealed Equifax has spent about $1.25 billion to shore up its network, and set aside about $700 million to cover litigation and fines.
Carr and other state attorneys general led an investigation that found Equifax failed to update critical vulnerabilities in its software and did not properly replace systems that monitored the network for suspicious activity. It’s still not clear who stole the data, which affected nearly half of all adult Americans.
As part of the settlement, Equifax agreed to make it easier for consumers to freeze and thaw their credit, hire more staff to help people who are victims of identity theft, reorganize its data security team, minimize its use of sensitive data and overhaul its cybersecurity policies.
The company, one of the nation’s three main credit-reporting agencies, also must offer people whose data was swiped credit monitoring services for 10 years. Consumers can sign up for details on the service here.
The settlement comes as the new chief executive, Mark Begor, has tried to improve the company’s reputation and boost its security. He’s touted the firm’s “strong progress” on bolstering its IT network.
Carr called it a “fair and appropriate settlement, ensuring substantial consumer relief and requiring the implementation of robust security measures to protect against future exposure of consumers’ private data.”
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.