Equifax to pay at least $575 million as part of FTC settlement

The credit reporting company may have to pay up to $700 million over a 2017 data breach.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture | Video Games | Breaking News
Alfred Ng
Sean Keane
6 min read
Equifax Consumer reporting agency company logo seen

Equifax has agreed to pay US agencies.

Igor Golovniov/SOPA Images/LightRocket via Getty Images

Equifax has agreed to pay at least $575 million to the US Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, DC and Puerto Rico over its massive 2017 data breach. If that isn't enough to compensate people affected by the breach, the credit reporting company could have to pay up to $700 million -- a figure we got hints about on Friday.

Watch this: Equifax breach: Find out if you can claim part of the $700 million

The Equifax settlement, announced Monday, includes $300 million for a fund for affected consumers with credit monitoring services and those who bought credit or identity monitoring services in the wake of the breach. If that doesn't cover the losses, Equifax will add up to $125 million to the fund. It's also agreed to pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million in civil penalties to the CFPB. Two states, Indiana and Massachusetts, are not part of the deal, according to The New York Times. Indiana and Massachusetts have each filed suit against Equifax over the breach.  

Hackers stole the personal information -- including Social Security numbers and home addresses -- of nearly 148 million Americans from Equifax's servers in a data breach that ran from May to July in 2017. A December 2018 House Oversight Committee report called the breach "entirely preventable," saying Equifax didn't take action to prevent it and wasn't prepared for the aftermath.

"Equifax's data breach put over 100 million Americans at risk by exposing their Social Security numbers and other personal information," Rep. Frank Pallone, chairman of the House Energy and Commerce committee, said in a statement. "This settlement does not come close to making consumers whole and, once again, shows the limitations on the FTC's ability to seek strong penalties and effective redress for consumers."

Equifax suffered its hack after failing to patch a vulnerability that it was warned about in March 2017. It didn't learn that its systems were exposed to attacks until four months later, in July 2017, when it was hacked.  

Part of the settlement will require Equifax to implement security standards like annual tests to address its vulnerabilities and risks, including making sure its systems' patches are updated. Equifax will also need to ensure that third parties that work with it are safe from cyberattacks. 

In addition, the settlement will require Equifax to get third-party audits on its security every two years, and the FTC must approve the testing. 

"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers," FTC Chairman Joe Simons said in a statement. "This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."

 The FTC also required Equifax to have a designated employee in charge of its cybersecurity program. At the Black Hat cybersecurity conference in 2018, Equifax's new chief information security officer, Jamil Farschi, told CNET the company was going through a major shift to regain the public's trust, spending $200 million on its cybersecurity program last year.

The agencies decided on that amount for the settlement so that Equifax had enough money to improve its cybersecurity, Kathy Kraninger, the CFPB's director, said at a press conference on Monday.

"We do want to make sure that we're not bankrupting the company or making the company go out of business," she said. 

Watch this: Equifax will pay up to $700M over its historic data breach

Equifax didn't alert the public about the breach until September 2017, and two Equifax executives were charged with insider trading before the hack was public knowledge. In June, Equifax's former chief information officer was found guilty and sentenced to four months in prison.

New York Attorney General Letitia James criticized Equifax for "putting profits over privacy and greed over people."

"This company's ineptitude, negligence, and lax security standards endangered the identities of half the US population," she said in a statement.

At a press conference, Maryland's attorney general, Brian Frosh, said the settlement would set the standard for other credit reporting agencies if they suffer a breach in the future. 

"The principle cause of the breach was Equifax's failure to patch critical vulnerabilities in its network. That persisted for 76 days," Frosh said. "Maybe even more aggravating, is the fact that most of the victims were not Equifax customers." 

Equifax was also publicly criticized for how it responded to the hack's aftermath, especially a website it developed for people to check if they were affected, which returned random results. Security researchers found that the website could easily be spoofed, allowing for potential hackers to trick more Equifax victims.

The FTC set up a page for Equifax breach victims to file claims against the company, which could mean up to $20,000 in cash payments for people affected by the hack. Victims would receive the money for expenses from the breach, including losses from accounts, fees paid for accountants and attorneys, as well as time spent dealing with the breach. The settlement requires Equifax to pay up to $25 per hour for victims who can prove they were affected by the hack.

"Any identity theft that occurred with the same type of data stolen after the breach will be reimbursable," Kraninger said.

Equifax CEO Mark Begor said in a release that the settlement is "a positive step" for US consumers and the company.

"The consumer fund of up to $425 million that we are announcing today reinforces our commitment to putting consumers first and safeguarding their data -- and reflects the seriousness with which we take this matter," he said.

Sens. Elizabeth Warren and Mark Warner introduced a bill in January 2018 that would hold companies like Equifax accountable for future data breaches.

"Americans don't choose to have companies like Equifax collecting their data -- by the nature of their business models, credit bureaus collect your personal information whether you want them to or not," Warner, a Democrat from Virginia, said in a statement. "In light of that, the penalties for failing to secure that data should be appropriately steep."

He called for structural reforms on how credit reporting agencies are held accountable, to make sure that breaches like Equifax's wouldn't happen again.

Sen. Ron Wyden, a Democrat from Oregon, also said the FTC order wouldn't be enough for Equifax. 

"In a just world, these executives would be going to jail. No one should be able to collect deeply sensitive information on 200 million people without their consent, treat it with reckless disregard and then just pay a fine when a predictable, easily avoidable hack takes place," Wyden said in a statement. 

In November, Wyden proposed legislation that would jail CEOs for lying about privacy protections, and give the FTC more power to penalize companies.

Sen. Ed Markey, a Democrat from Massachusetts, also criticized the settlement, writing in a tweet that it was "far from an adequate solution."

At a press conference, Simons noted that the settlement was only possible through working with the state attorneys general and the CFPB, pointing out that the FTC didn't have power to seek civil penalties on first offenses. 

"I renew my call for Congress to enact federal legislation that gives the FTC authority to seek penalties for first-time violations," Simons said. 

Originally published July 22, 5:02 a.m. PT.
Updates, 5:50 a.m. PT: Adds more detail. 6:23 a.m. PT: Adds information about the settlement and Equifax's breach. 6:46 a.m. PT: Adds remarks from lawmakers. 7:45 a.m. PT: Adds details from the FTC's press conference. 9:36 a.m. PT: Adds statement from Wyden. 11:43 a.m. PT: Adds statement from Markey.
Correction, 12:41 p.m. PT: An earlier version of this story misstated the number of states that are involved in the settlement. It's 48.