Equifax to pay $700 million for breach of 140 million Americans' data
Credit reporting agency Equifax has reached a deal to pay upwards of $700 million to state and federal regulators to settle probes related to a data breach that exposed personal information of over 140 million people.
In 2017, Equifax had admitted that hackers had gained access to personal information of 143 million Americans in a data breach. The 2017 Equifax data breach was the largest hack in US history.
Hackers had exploited a security flaw in a tool designed to build web applications. Equifax admitted that it had been aware of the flaw a full two months before hackers had accessed its data, and did nearly nothing to stop the intrusion.
The information stolen included names, birthdays, addresses, as well as driver's license and social security numbers. Those who purchased iPhones may have been affected, as Apple's U.S. loan partner for the iPhone Upgrade Program is Citizens Bank — a company that has utilized Equifax in the past.
The Federal Trade Commission announced on Monday that Equifax will need to pay $300 million to $425 million to compensate people who used credit monitoring services. There is a cap on the fund, however, and when it is depleted, there will be no more payments doled out.
Additionally, Equifax will pay $275 million in penalties and compensation to 48 states, Washington, Puerto Rico, and the Consumer Financial Protection Bureau. It isn't presently clear how the funds will be paid, however.
The US Federal Trade Commission declared that Equifax violated its prohibition against deceptive practices, failing to safeguard peoples' personal information despite claiming that it implemented "reasonable physical, technical and procedural safeguards."
"Companies that profit from personal information have an extra responsibility to protect and secure that data," said FTC Chairman Joe Simons. "Equifax failed to take basic steps that may have prevented the breach."
Equifax will also be required to change how they handle private user data. The company will have to adjust its information security protocols, implement annual assessments of security risks, and receive certification attesting that the company has complied with the FTC order.