Equifax will pay at least 700 million dollars (£560 million) — and potentially much more — to settle lawsuits over a 2017 data breach that exposed the social security numbers and similar sensitive information of roughly half of the US population.
The settlement with federal authorities and states, reached on Monday, includes up to 425 million dollars in monetary relief to consumers, a 100 million dollar civil penalty, and other offers to the nearly 150 million people who could have been affected.
It cannot guarantee safety for individuals whose stolen information could circulate on the internet for decades.
The breach was one of the largest to threaten Americans’ private information. The credit reporting company did not notice the intruders targeting its databases, as they exploited a known security vulnerability that Equifax had not fixed, for more than six weeks.
The compromised data included social security numbers, birth dates, addresses, driving licence numbers, credit card numbers and in some cases, data from passports. The resulting scandal led to the abrupt dismissal of Equifax’s then-CEO and many other executives at the company.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said Federal Trade Commission chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach.”
Equifax CEO Mark Begor said in a statement that the settlement “reinforces our commitment to putting consumers first and safeguarding their data”.
Consumer advocates were generally positive on the settlement, but had concerns about its timescale. Claims can only be filed for the next four years, but the thieves stole permanently identifiable information like social security numbers and birth dates, which could be used for decades to commit identity theft.
“What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?” said Chi Chi Wu, staff attorney at the National Consumer Law Centre.
It underscores that US consumers are still at the mercy of credit-reporting companies when it comes to protecting their personal details. Two years after the breach, Equifax, along with competitors TransUnion and Experian, remain the primary repositories of the data that banks use to make credit decisions.
They face little regulation and disclose few details about their operations, despite promises to tighten security and rebuild consumer trust. Ordinary people have no easy way to opt out of the data collection that lands their personal details in corporate databases.
Equifax’s CEO said he has seen zero evidence the stolen data has appeared for sale on the so-called “dark web” and no evidence of an increased identity theft because of the breach. The company did not provide any evidence to back up that claim.
Security experts said there’s really no way to know, especially in the absence of third-party validation. “You cannot determine with certainty that the information will never wind up in the hands of people who are going to use it,” said Ryan Calo, a law professor at the University of Washington.
“It is a lifetime risk exposure,” said Rich Mogull, CEO of the security firm Securosis, who added that the data might be useful for surreptitious uses beyond direct identity fraud.
Settlement payments will flow through a number of complex channels. Equifax will initially pay 380.5 million dollars into a fund to cover identity theft resulting from the breach, as well as any costs related to credit monitoring. The company will pay an additional 125 million dollars if victims’ out-of-pocket expenses deplete the initial fund.
Should all 147 million victims sign up for credit monitoring services, Equifax could potentially be on the hook for 2 billion dollars.
Equifax will offer victims of the breach free credit monitoring services for up to 10 years, identity-restoration services for seven years, and six Equifax credit reports annually for the next seven years. That is on top of the free report all credit reporting companies must offer US residents every year.
Victims can also seek up to 125 dollars as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit claims for free credit monitoring or cash reimbursements. The settlement received preliminary approval from a federal judge on Monday, and claims can start processing on Tuesday.
Equifax will have to spend at least a billion dollars over five years to enhance its cybersecurity practices and will owe a 100 million dollar fine to the Consumer Financial Protection Bureau and tens of millions of dollars to states and territories to settle their lawsuits.