Equifax, regulators sign $700m deal to settle data breach lawsuits

The massive security incident exposed personal details belonging to almost 150 million customers.
Written by Charlie Osborne, Contributing Writer

Equifax signed a settlement today to lay to rest lawsuits brought forward by the US Federal Trade Commission (FTC), state attorneys, and a class-action case relating to the firm's 2017 data breach. 

The security incident was caused by a failure to resolve a known security flaw in Apache Struts, despite a patch being made available two months prior to the breach. 

This permitted a hacker to access the credit monitoring company's systems, leading to the theft of records belonging to over 146 million users

Names, dates of birth, Social Security numbers, phone numbers, email addresses, and driver's license details were among the data sets stolen. 

Such a severe -- and preventable -- lapse in security prompted regulators and impacted individuals to take Equifax to task through the legal system. However, the FTC announced today a settlement.

See also: Google bought my friend's face for $5

Under the terms of the deal, Equifax will reportedly pay at least $575 million, and potentially up to $700 million in damages. The settlement will resolve claims made by the FTC, the Consumer Financial Protection Bureau, a number of state attorneys, as well as a consumer-focused class-action lawsuit. 

According to the proposed settlement, Equifax will pay $300 million into a fund that will provide affected consumers with credit monitoring services. The fund will also be available for Equifax customers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 security breach.

Equifax also agreed to supplement the fund with up to $125 million if the initial payment is not enough to compensate impacted consumers.

But that's not all. Equifax also agreed that starting with January 2020 to provide consumers with six free credit reports each year for seven years. This will add to the existing free credit report that all consumers are entitled to receive.

And last, Equifax will also pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau in civil penalties.

TechRepublic: How to reverse the cybersecurity staffing shortage: 5 tips

Equifax is yet to fully recover from the data breach. The firm's chief executive, Richard Smith, stepped down; hundreds of millions of dollars have been spent on shoring up security and securing cybersecurity insurance; Equifax's ratings outlook has suffered; sales have stagnated, and former employees who profited on the data breach have chipped away at the company's already-battered reputation. 

CNET: Google Home can whip you into shape physically and mentally

Equifax is not the only credit monitoring service to suffer an extensive data breach. In 2015, Experian disclosed a data breach which led to the compromise of information -- including Social Security numbers -- belonging to 15 million consumers. 

ZDNet has reached out to Equifax and will update if we hear back. 

Article updated with link to FTC announcement. Title updated accordingly as well. Update by Catalin Cimpanu.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards