U.S. credit monitoring agency Equifax agreed to pay up to $700 million in a settlement stemming from a data breach that affected nearly 150 million customers, regulators said Monday.
The biggest-ever penalty in a data breach case was announced by the Federal Trade Commission and state regulators following revelations that hackers had stolen the personal details of millions, including names, dates of birth and social security numbers.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," FTC chairman Joe Simons said in a statement announcing the settlement.
"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers," he added.
The settlement, subject to court approval, calls for at least $300 million of the penalty to go to affected consumers, and to provide extra credit monitoring beyond what the company has already offered.
Additional money will be added to this consumer fund based on the number of claims filed, officials said.
"As part of our settlement, Equifax will provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future," said New York state Attorney General Letitia James, one of the state regulators in the case.
"Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk."
Some $175 million will be paid to states joining the litigation and $100 million in civil penalties to the federal government to settle charges of unfair and deceptive practices.
According to documents filed in court, Equifax will offer affected consumers "cash compensation, credit monitoring, and help with identity restoration" and must spend at least $1 billion to improve its data security.
Consumers may receive up to 10 years of free credit monitoring or $125 cash to cover their own monitoring costs, the FTC said. Those who experienced identity theft may receive up to $20,000 in compensation.
'Equifax chose us'
While Equifax does not deal directly with consumers, it handles sensitive information on them to help lenders determine borrowers' creditworthiness in the United States and some other countries including Britain. It is one of three large credit-reporting agencies in the United States.
Maryland state attorney general Brian Frosh said the breach was troublesome because most consumers did not know their data was being collected or consent to it.
"We did not choose Equifax, Equifax chose us," he told a news conference in Washington with FTC and other officials.
"It collected our personal information... and it sold the product and some of the raw data to other people."
The FTC said that Equifax learned of a vulnerability in its network in March 2017 but failed to patch its network or notify consumers until later in the year.
Origin remains unclear
While not the largest breach -- attacks on Yahoo leaked data on as many as three billion accounts -- the Equifax incident could be the most damaging because of the nature of the data collected: bank and social security numbers and personal information of value to hackers and others.
It remains unclear who was behind the Equifax hack, but some experts said it appeared to be the work of a state-sponsored actor.
Equifax chief executive Mark Begor said in a statement: "This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company."