Credit reporting agency Equifax will pay about $700 million to state and federal regulators to settle probes stemming from a data breach that exposed the personal information of nearly 150 million people.
The settlement with the U.S. Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states and the District of Columbia and Puerto Rico, would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief.
Equifax will pay the states a total of $175 million, including $4,563,223.03 for North Carolina, according to the NC attorney general’s office.
The breach was one of the largest ever to threaten the private information. The consumer reporting agency, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and in some cases, data from passports.
Affected consumers may be eligible to receive money by filing one or more claims for conditions including money spent purchasing credit monitoring or identity theft protection after the breach and the cost of freezing or unfreezing credit reports at any consumer reporting agency.
All impacted consumers would be eligible to receive at least 10 years of free credit-monitoring, at least seven years of free identity-restoration services, and, starting on Dec. 31 and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period.
If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Equifax first disclosed the hack in September 2017, three months after the company discovered the breach.
Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
It has said its damages exceeded $350 million.
The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.
