Credit-reporting company Equifax will pay up to $700 million to settle U.S. federal and state probes into a massive 2017 data breach of personal information that affected around 147 million consumers, authorities said on Monday.
The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Bureau and nearly all state attorneys general. It also resolves pending class-action lawsuits against the company.
Equifax shares were up 1.2 percent at $138.88 in morning trading.
"This companys ineptitude, negligence, and lax security standards endangered the identities of half the U.S. population," New York state Attorney General Letitia James said in a statement.
Under the settlement, the company will pay a $175 million fine to the states and $100 million to the CFPB.
The company will also establish a $300 million restitution fund for harmed consumers which could climb to $425 million depending on how many customers use it. While roughly half of all Americans saw their information compromised, the restitution fund is only available to consumers who can show they suffered direct costs from the breach, either as victims of fraud or by setting up credit-monitoring services.
Affected consumers will also be eligible for 10 years of free credit monitoring from Equifax, and the company agreed to make it easier for consumers to freeze their credit or dispute inaccurate information in credit reports.
Regulators on Monday said Equifax broke laws protecting consumers from unfair and deceptive practices by failing to provide reasonable security for the massive quantities of sensitive personal information it stored, and by deceiving consumers about the strength of its data security program
Equifax, one of three major credit-reporting companies, disclosed in 2017 that a data breach had compromised the personal information, including Social Security numbers, of 143 million Americans. Including Canadian customers, around 147 million consumers were affected in total.
The hackers behind the breach have never been identified by authorities.
The scandal sent the company into turmoil, leading to the exit of its then-chief executive, Richard Smith, as slowness to disclose the breach and security practices were challenged by lawmakers and policymakers.
They questioned how private companies could amass so much personal data, setting off efforts to bolster consumers' ability to protect and control their information. The Senate Banking Committee is currently working on legislation that would require companies to better protect consumer data.
"While Im happy to see that customers who have been harmed as a result of Equifaxs shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again," Democratic Senator Mark Warner said in a statement.
Equifax's new CEO, Mark Begor, said the settlement was a "positive step" for the company that would allow it to focus on investing in technology and security. Equifax took a $690 million charge in the first quarter to cover the anticipated fine.
As part of the settlement, the company has also agreed to bolster its security practices and have its policies assessed regularly by a third party.