After a massive 2017 data breach, Equifax Inc. has reached a proposed settlement that stands to cost the financial giant at least $575 million and spells relief for U.S. consumers, government officials said Monday.
About 147 million Americans were impacted by the hack. A large share of the money — $300 million — is to go toward relief for consumers impacted by the large-scale hacking that compromised sensitive data. The amount paid for consumer help could grow by an additional $125 million if more money is needed to compensate them, so the overall settlement could climb to $700 million, the officials said.
The breach was one of the largest in U.S. history. Many millions of people had names, addresses, dates of birth and Social Security numbers stolen by hackers.
Some victims also had their driver's license numbers and credit-card numbers and expiration dates taken, officials said.
The proposed settlement needs approval from a federal judge before taking effect. The case is being handled in the Atlanta-based Northern Federal District of Georgia.
Consumers may file claims for relief only after the judge signs off on the settlement, officials said. Benefits will not be paid until after the initial claims deadline has passed. Watch for updates from the Federal Trade Commission (FTC) or call a toll-free hotline, 833-759-2982.
Starting next January, all U.S. consumers — even those not directly impacted — will be able to get six additional free credit reports every year from Equifax for seven years.
Government officials said because data breaches are so common, it's difficult to trace cases of identity theft or fraud back to a specific hack.
Here are highlights of what people impacted by the hacking may receive:
- Free credit monitoring for up to 10 years, or a cash payment of $125 for credit monitoring you already have. For four of those years, a person may obtain free credit report monitoring from all three major credit bureaus: Equifax, Experian and TransUnion.
- Free identity-restoration service for at least seven years if you are the victim of identity theft or fraud.
Additionally, consumers may be eligible for reimbursement and cash payments of up to $20,000 for 1) time spent protecting your identity or recovering from identity theft, up to 20 hours at $25 per hour; 2) money spent protecting your identity or recovering from identity theft; 3) up to 25 percent of the cost of Equifax credit or identity monitoring that was purchased in the year before the breach; and 4) out-of-pocket losses tied to unauthorized charges or accounts.
Government officials urged consumers to put a freeze on their credit unless they had plans to apply for a loan or credit card. People later may “unfreeze” their credit to apply for loans or credit.
These officials alleged that Equifax failed to implement basic computer-security measures before the hack. Equifax broke the law before and after the breach, said Kathy Kraninger, director of the U.S. Consumer Financial Protection Bureau (CFPB).
The settlement was unveiled by Kraninger and top officials from the FTC.
They were joined at Monday's news conference by Maryland's attorney general, Brian Frosh, who called the breach “one of the largest in U.S. history and perhaps the most dangerous.” Roughly half of all U.S. consumers were impacted, he said.
Hackers don't immediately take stolen, sensitive data and start stealing your identity, Frosh noted, since instead they may hold onto it for use years later.
What was “aggravating” was Equifax's failure to patch a critical vulnerability in its computer network for 76 days after problems surfaced, Frosh said. Even “more aggravating” is the fact that most victims were not Equifax customers, per se, since they had not signed up for the firm's services. Instead the company widely collected and sold data involving tens of millions of Americans.
Equifax is a data, analytics and technology firm that is based in Atlanta and does business around the world.
In a news release, the firm said the money in the settlement will resolve class-action litigation and investigations by the CFPB, FTC, and the attorneys general in 48 states, Puerto Rico and the District of Columbia. The State of New York's Department of Financial Services also had a hand in the case.
Equifax's chief executive officer, Mark Begor, said in a statement Monday that the consumer fund of up to $425 million “reinforces our commitment to putting consumers first and safeguarding their data — and the seriousness with which we take this matter."
In addition to helping consumers, Equifax must establish a comprehensive information-security program to protect sensitive personal data and the firm's board of directors must certify its compliance, said Joe Simons, the FTC chairman.
Part of the settlement will be payments totaling $175 million to the states, District of Columbia and Puerto Rico. The remaining part, $100 million, is to be paid to the CFPB in civil penalties.