Credit reporting agency Equifax will likely pay out a $700 million settlement over the 2017 data breach that exposed the social security numbers of an estimated 147 million people, according to federal officials.
A proposed settlement would involve the company providing up to $425 million in monetary relief to consumers and a civil money penalty of $100 million, along with other amounts of relief, the Consumer Financial Protection Bureau and the Federal Trade Commission announced in a joint press release on Monday. The settlement still needs to be approved by the U.S. District Court in Atlanta, according to the statement.
The company has also agreed to pay $175 million to 48 states as well as the district of Columbia and Puerto Rico, the FTC tweeted.
The 2017 breach was one of the largest ever to expose private information, according to The Associated Press.
FTC Chairman Joe Simons accused Equifax of failing to take “basic steps” to prevent the breach, of “deceiving consumers” about the strength of its data security program and of “engaging in acts and practices that caused additional harm or risk to consumers, the release states. The settlement would require Equifax to take steps to improve its data security going forward.
“The incident at Equifax underscores the evolving cyber security threats confronting both private and government computer systems and actions they must take to shield the personal information of consumers,” said CFPB Director Kathleen L. Kraninger. “Too much is at stake for the financial security of the American people to make these protections anything less than a top priority.”
Here’s what you need to know about the data breach and settlement:
The Atlanta-based agency announced in September 2017 that the personal information of about 147 million consumers, including names, addresses, social security numbers and dates of birth, were exposed in a data breach.
The information also included consumers’ financial profiles, which had information such as how much they owe on their homes and whether they had court judgments against them, AP reported. About 3,200 passport images were also stolen, according to AP.
The company announced at the time that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
The hackers, who have not been identified, sent 9,000 queries to dozens of databases containing consumers’ personal information and methodically extracted the information, according to AP. Equifax did not notice the attack for more than two weeks, AP reported.
A $425 million consumer fund will be used to provide reimbursements to affected consumers for time and money they spent related to the breach.
Consumers will be able to claim up to $20,000 each, according to the release.
This will include $25 an hour for up to 20 hours for time spent protecting personal information or addressing identity theft after the breach.
Consumers can also be reimbursed for up to 25% of the amount paid to Equifax for credit or identity monitoring subscription products between Sept. 7, 2016 and Sept. 7 2017.
Any unreimbursed costs, expenses, losses or charges incurred as a result of identity theft and miscellaneous expenses associated with the breach, such as notary, fax, postage, mileage and telephone charges can also be claimed.
In addition, all affected consumers are eligible to receive at least 10 years of free credit-monitoring and at least seven years of free identity-restoration services.
Starting Dec. 31, and extending seven years, all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period as well. The free copies will be provided to requesting consumers in addition to any free reports to which they are entitled under federal law.
Consumers who decide not to enroll in the free credit monitoring available through the settlement may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.
A settlement administrator will manage the claims process.
Consumers must submit a claim to receive the free credit monitoring or cash reimbursements online or by mail after the court approves the settlement.
Deadlines for filing the claims will also be included on the website.
Additional information about the settlement and how to find out whether you are eligible for relief can be found here.
After the breach was announced, Equifax mailed notices to people whose credit card numbers or dispute documents with personal identifying information were impacted.
At the time, consumers were also able to enter their personal information into a database to determine whether they were affected, but that function appears to have since been disabled.
The agency also recommended that people closely monitor their financial accounts and credit scores for unauthorized activity.
Equifax has added tools to better monitor its network traffic as well as restricted traffic between internal servers and tightened controls on who can access certain systems and networks, according to AP.
Since the breach, the chief information officer and top security executive have retired, and the agency hired a new chief technology officer, according to AP.
In a statement, Equifax CEO Mark Begor described the settlement as a “positive step” for both U.S. consumers and the company as it moves forward from the breach. Equifax plans to “focus” on its investments in technology and security, Begor said.
“The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data — and reflects the seriousness with which we take this matter,” Begor said. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement while continuing our $1.25 billion EFX2020 technology and security investment program. We are focused on the future of Equifax and returning to market leadership and growth.”
Equifax has denied any wrongdoing, and no judgement or finding of wrongdoing has been made, according to a statement on the settlement website.
ABC News’ Will Gretsky and Adam Kelsey contributed to this report.