Equifax will pay potentially up to $700 million to settle state and federal investigations related to a data breach two years ago that exposed personal information belonging to more than 145 million people.
Under the agreement announced by the Federal Trade Commission on Monday, the credit firm will pay $300 million to provide monitoring services for those affected by the hacking. That amount could increase another $125 million if the initial settlement is not enough to cover consumer losses.
''It’s time for the company to do what’s right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future," said New York Attorney General Letitia James.
The fund "reinforces our commitment to putting consumers first and safeguarding their data - and reflects the seriousness with which we take this matter," said CEO Mark Begor. "We are focused on the future of Equifax and returning to market leadership and growth."
Equifax will also pay $175 million to 48 states, the District of Columbia and Puerto Rico to settle lawsuits and another $100 million in civil penalties to the Consumer Financial Protection Bureau.
"This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud," FTC Chairman Joe Simons said in a statement.
At the beginning of September almost two years ago, Equifax officially alerted the public about the mass cybersecurity intrusion, almost two months after it discovered it.
The breach -- one of the most severe in U.S. history -- included sensitive information, such as Social Security and driver’s license numbers and prompted swift condemnation from bipartisan lawmakers, agencies and consumers.
The thieves were able to access a company portal after Equifax failed to patch a security flaw that it knew about.
Following the breach, the Atlanta-based company’s stock tumbled and its CEO, Richard Smith, was ousted.
Last year, Congress passed legislation barring credit-reporting agencies from charging fees to freeze and unfreeze credit reports. Some lawmakers, including Sen. Elizabeth Warren, a 2020 presidential hopeful, have called for more robust FTC enforcement.