Equifax settles in security breach that affected more than 4M Virginians

Jeremy M. Lazarus | 7/26/2019, 6 a.m.
Consumer credit information giant Equifax has agreed to pay up to $700 million for allowing hackers to breach its computers ...

Consumer credit information giant Equifax has agreed to pay up to $700 million for allowing hackers to breach its computers and grab the personal information of nearly 150 million people.

It was the largest breach in U.S. history, exposing the name, Social Security numbers, drivers’ license numbers and addresses of consumers, according to the Federal Trade Commission.

The deal is designed to settle federal and state probes into the September 2017 information breach, but will not affect private lawsuits that are still active.

The FTC announced the settlement with Equifax on Monday.

One key item in the settlement: Equifax will create a fund of up to $425 million to reimburse people up to $20,000 each if they suffered losses from identity theft because of the breach or for expenses dealing with it. That includes the cost of purchasing credit monitoring or identity theft insurance.

Before claims can be filed, the FTC stated the settlement first must receive court approval. After that, people will have options to file online or mail a claim, the FTC stated.

Equifax also has agreed to take several steps to assist consumers facing identity theft issues. That includes providing up to seven years of assistance to those dealing with identity theft and $1 million in identity theft insurance. The company also agreed to provide up to 10 years of free credit monitoring for those hit by identity theft and up to 18 years for minors whose information was breached.

The company also agreed to provide six additional free credit reports a year to all Americans and to simplify the process con- sumers face to dispute information in their credit report.

Equifax also is to pay $275 million in civil penalties to 48 states, the District of Columbia, Puerto Rico and the Consumer Fi- nancial Protection Bureau that were jointly probing the matter.

Virginia is to receive $4.3 million from the penalty payment, according to state Attorney General Mark R. Herring, whose office participated in what he called the largest enforcement action involving a data breach.

“More than 4 million Virginians had their personal information compromised by Equifax’s negligence and failure to implement adequate security programs,” Mr. Herring stated. “I hope this settlement sends a message to companies nationwide that my colleagues and I will not tolerate their failure to keep consumers’ information protected and private.”

The deal also will require Equifax to upgrade its software to ensure heightened security, undergo annual assessments of security risks and receive a certification from the FTC that it is complying with the settlement.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach.”

Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw two months before hackers first accessed its data, but took no action to address it.