Share this story...
Latest News
Listen to KSL NewsRadio: The House impeachment inquiry »

Equifax will pay up to $700 million to settle data breach hack investigation

FILE - This July 21, 2012, file photo shows signage at the corporate headquarters of Equifax Inc., in Atlanta. Equifax will pay up to $700 million to settle with the Federal Trade Commission and others over a 2017 data breach that exposed Social Security numbers and other private information of nearly 150 million people. The proposed settlement with the Consumer Financial Protection Bureau, if approved by the federal district court Northern District of Georgia, will provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief. (AP Photo/Mike Stewart, File)

(CNN) — Credit reporting agency Equifax has reached a deal to pay up to $700 million to state and federal regulators to settle probes stemming from a data breach that exposed the personal information of nearly 150 million people.

The Federal Trade Commission announced Monday that Equifax will pay at least $300 million and as much as $425 million to compensate affected people with credit monitoring services. That money will go into a fund that will also reimburse people who purchased credit- or identity-monitoring services because of the 2017 data breach. The amount of the settlement could change depending on the number of claims still to be filed by consumers.

Equifax will also pay $275 million in civil penalties and other compensation to 48 states, Washington, Puerto Rico and the Consumer Financial Protection Bureau.

The deal also requires more changes to how Equifax handles private user data. For example, the company will have to adjust its information security protocols, including annual assessments of security risks and receiving the board’s certification attesting that the company has complied with the FTC’s order.

The FTC alleges Equifax violated the agency’s prohibition against unfair and deceptive practices. The FTC said Equifax failed to properly safeguard peoples’ personal information despite claiming in its privacy policy that it implemented “reasonable physical, technical and procedural safeguards” to protect their data.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach.”

The hack, the largest in US history, exposed sensitive information, including names, Social Security numbers, drivers’ license numbers and addresses.

Equifax did not respond to CNN Business’ request for comment.

Equifax first disclosed the hack in September 2017, three months after the company discovered the breach.

Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.

The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.

The-CNN-Wire
™ & © 2019 Cable News Network, Inc., a Time Warner Company. All rights reserved.