Equifax to pay up to $ 700M in settlement over data breach
Equifax — the credit reporting agency responsible for one of the country’s largest, and likely most damaging, losses of personal information two years ago — will pay up to $ 700 million to settle with the U. S. and states over the breach that exposed Social Security numbers and other sensitive data of some 150 million people.
The settlement with the U. S. Consumer Financial Protection Bureau and the Federal Trade Commission, as well as Pennsylvania, 47 other states and the District of Columbia and Puerto Rico, would provide up to $ 425 million in monetary relief to consumers and a $ 100 million civil money penalty.
Equifax will pay the states $ 175 million, which includes $ 7.3 million for Pennsylvania. About 5.5 million Pennsylvanians were affected by the breach, according to the state attorney general’s office.
The breach was one of the largest ever to threaten private information, exposing the data of 56 percent of U. S. adults. Equifax, based in Atlanta, did not detect the attack for more than six weeks. The compromised data included Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and, in some cases, data from passports.
“This is the largest data breach settlement in the history of our country,” Pennsylvania Attorney General Josh Shapiro said in an interview Monday. “It sends a clear message to corporate America that they need to invest in the infrastructure of their company to protect our data.”
Mr. Shapiro was one of the Equifax victims. He said he was angry, like any consumer would be, but believes consumers should feel some relief from the settlement.
“Consumers are able to get money back for time wasted as a result of the breach, get money back for costs they incurred, and are able to secure 10 years’ worth of free credit monitoring so they can keep an eye on their personal information,” he said.
The National Consumer Law Center issued a statement Monday saying it appreciated the work that went into getting the settlement but that the restitution fund should have been bigger.
The fund “seems modest for a
breach of this scale, but it does provide some real dollars to consumers for time and out-of-pocket expenses,” said Chi Chi Wu, staff attorney at the law center. Ms. Wu noted that because Social Security numbers were exposed, the risk of identity theft lasts a lifetime.
“Social Security numbers can be traded by hackers in perpetuity,” she said.
Affected consumers may be eligible to receive money by filing one or more claims for conditions, including money spent purchasing credit monitoring or identity theft protection after the breach and the cost of freezing or unfreezing credit reports at any consumer reporting agency.
Consumers also could be compensated at $25 an hour, up to a maximum of $500, for time spent protecting personal information or addressing identity theft after the breach.
All affected consumers would be eligible to receive at least 10 years of free credit monitoring, at least seven years of free identity restoration services and, starting on Dec. 31 and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period.
The free reports are in addition to the free credit reports consumers are entitled to annually under federal law.
If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.
Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements. Claims will be accepted online or by mail. Paper claim forms also can be requested over the phone.
Consumers will be able to get information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry.
Mr. Shapiro said consumers can get information and start the claims process by entering their email address at www.ftc.gov/equifax or www.attorneygeneral.gov. They also can call the settlement administrator at 1833-759-2982.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said.
“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Equifax said earlier this year that it had set aside about $700 million to cover anticipated settlements and fines.
“Equifax failed in its fundamental responsibility to safeguard consumers’ sensitive financial information,” Mr. Shapiro said. “Equifax knew that there were serious flaws in their system, but still they did not take appropriate steps to fix it. The financial futures of millions of Americans were put at risk — and it was entirely preventable.”
The multistate investigation found that Equifax failed to implement an adequate security program, despite knowing about a critical vulnerability in its software, Mr. Shapiro said. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity, he said. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Equifax has said it discovered the breach on July 29, 2017. The company didn’t make the incident public until Sept. 7, 2017.
In the wake of the breach, Congress stepped in to eliminate fees that credit bureaus had routinely charged people for freezing and unfreezing their accounts. Freezing an account blocks thieves from opening fraudulent credit accounts. That new law took effect Sept. 21, 2018.
Crooks can do a lot of damage with stolen personal data, such as apply for credit cards or loans, order smartphones on payment plans, open utility accounts, steal federal tax refunds, and collect someone else’s Social Security or health care benefits.
ID thieves also may apply for a job, get insurance, lease an apartment or commit crimes in other people’s names.
Besides signing up for free credit monitoring, consumers should use common sense to guard their finances, Mr. Shapiro said.
“If you see something odd on your credit card or bank statement, alert the bank and law enforcement right away,” he said. He said the Equifax breach was the most damaging breach ever, considering the type of sensitive data exposed.
In terms of the number of accounts compromised, the Equifax breach ranks behind those at Yahoo in 2013, eBay in 2014 and Marriott in 2018.
For more information about ID theft, visit the FTC’s ID theft resources page.