The credit bureau Equifax will pay at least $650 million and potentially significantly more to end an array of state, federal and consumer claims over a data breach two years ago that exposed the sensitive information of more than 148 million people. The breach was one of the most potentially damaging in an ever-growing list of digital thefts.
The settlement, which was announced on Monday and still needs court approval, would be the largest ever paid by a company over a data breach. The deal requires Equifax to put a minimum of $380.5 million into a restitution fund for American consumers who file claims showing that they were financially harmed.
A portion of that money will pay for lawyers’ fees, but at least $300 million must go to victims, according to settlement documents filed in federal court in Atlanta. If the initial cash is depleted, the company will add up to $125 million more to settle consumers’ claims, bringing the total fund size to more than $500 million.
Equifax also agreed to provide up to 10 years of free credit monitoring services to those who had their data exposed. The settlement assumes that around 7 million people will sign up for that service. If more do, Equifax’s costs for providing it could rise meaningfully.
Equifax will pay an additional $175 million in fines to end investigations by 50 attorneys general. Forty-eight states — all except Indiana and Massachusetts, which separately filed their own lawsuits against Equifax — are part of the deal, along with the District of Columbia and Puerto Rico.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said Attorney General Letitia James of New York, who helped lead the states’ investigation. “This company’s ineptitude, negligence and lax security standards endangered the identities of half the U.S. population.”
The deal also settles investigations by two federal regulators: the Consumer Financial Protection Bureau, to which Equifax will pay a $100 million fine, and the Federal Trade Commission, the primary federal overseer of data security issues. The F.T.C. is not charging a fine; unlike the consumer bureau, it has limited legal power to impose big financial penalties.
Equifax, based in Atlanta, has been negotiating for months to finalize this settlement, and it set aside $690 million last quarter to cover the anticipated costs. Separately, the company has responded to the breach by spending hundreds of millions of dollars on investigative costs, technology improvements, free credit monitoring services and legal fees.
The settlement’s total price tag adds up to a bit less than one typical quarter of sales for Equifax. Last year, the company earned $300 million, a 49 percent drop from its income a year earlier, on sales of $3.4 billion. Equifax’s stock price tumbled after the breach but has since recovered most of its losses.
Some consumer advocates wish the punishment had been sharper.
“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, the executive director of the World Privacy Forum.
But the sum “is not insignificant,” said Christopher Peterson, a law professor at the University of Utah and a former enforcement lawyer at the Consumer Financial Protection Bureau. Settling the case quickly is probably a better outcome for consumers than years of legal battling, he added.
“My perspective is that this is a win for the various consumer protection agencies that are involved, but that over the long term, it creates only a relatively mild incentive for the big credit reporting agencies to strengthen their data security,” Mr. Peterson said. “The underlying law itself here does not provide as much protection as I think most Americans deserve and want.”
Equifax, one of America’s three largest credit bureaus, alongside Experian and TransUnion, has files on hundreds of millions of people worldwide that contain extensive details about their financial accounts and transactions. Equifax even receives copies of millions of Americans’ paychecks, which are fed into its Work Number database.
The company makes money by selling its vast trove of information to auto loan, mortgage and credit card issuers. Consumers can exercise some control over how their files are used — for example, by freezing them to prevent new credit lines from being opened — but they cannot opt out of the system and demand that Equifax or its competitors stop collecting and storing their personal information.
Law enforcement officials have never publicly identified who was behind the Equifax theft, and cybersecurity experts say they have not seen any sign of the information surfacing in the kinds of online marketplaces where stolen personal information is often bought and sold.
That has made it tricky to determine how much the attack has harmed consumers. There is little known evidence of consumer fraud directly attributed to the breach, but customers have spent countless hours taking precautionary steps like freezing their credit files and scouring them for signs of illicit activity.
Consumers seeking payments from the restitution fund will be required to submit claims, with documentation, showing that they have been a victim of fraud or have taken steps to set up credit monitoring services. Fraud victims will not have to prove that Equifax’s breach directly caused their loss; anyone who was affected by the breach and subsequently experienced fraud involving personal information that was stolen will be able to make a claim, according to settlement documents.
People who paid for credit monitoring or identity theft protection services will be eligible to have what they spent refunded. They will also be eligible for compensation for the time they spent dealing with the issues — such as hours on the phone talking to financial services providers — at a rate of $25 per hour, for up to 20 hours.
A new website will soon be set up to provide information and handle claims after the settlement receives court approval, regulators said. For now, customers can sign up for updates at www.ftc.gov/equifax-data-breach.
The Equifax hackers used a flaw that was known but accidentally left unfixed to gain access to dozens of databases. They did not steal Equifax’s crown jewels, its credit files, but they did obtain sensitive information like names, Social Security numbers, birth dates, addresses and driver’s license numbers.
For about 76 days, according to a government report, the hackers siphoned information out in small increments, until Equifax detected the intrusion in late July 2017. It was not until six weeks later that the company disclosed the breach.
Individuals, lawmakers and regulators responded with fury to both the loss of so much sensitive information and to the company’s bungled public response. Equifax created an information website that barely functioned. It struggled to keep up with the deluge of phone calls and messages from worried consumers and at one point, it even accidentally pointed those seeking information on the breach toward a fake website.
The turmoil led to the ouster of Equifax’s chief executive, Richard F. Smith, who retired shortly after the breach was revealed. Several other top executives, including the chief information officer and chief security officer, were also forced out. Last year, Equifax named an outsider, Mark Begor, a private equity executive, as its new chief executive.
After a series of fiery congressional hearings, in which lawmakers of both parties denounced Equifax for its missteps — “I can’t fix stupid,” Representative Greg Walden, Republican of Oregon, told Mr. Smith in one memorable exchange — lawmakers passed a few new restrictions on credit bureaus, including a law making credit freezes free. But there have been no major changes to the federal laws covering what information credit bureaus can collect and what steps they must take to safeguard it.
Major data breaches have become an almost routine occurrence. Last year, the Marriott hotel chain disclosed that thieves had stolen personal details on roughly 500 million guests, an attack that has been attributed to a Chinese intelligence-gathering effort. In May, a security journalist revealed that a major title insurance company, First American Financial Corporation, had left nearly 900 million documents related to mortgage deals lying openly on the internet, unprotected.