Equifax will pay potentially up to $700 million to settle state and federal investigations related to a data breach two years ago that exposed personal information belonging to more than 145 million people.
Under the agreement announced by the Federal Trade Commission on Monday, the credit firm will pay $300 million to provide monitoring services for those affected by the hacking. That amount could increase another $125 million if the initial settlement is not enough to cover consumer losses.
Equifax will also pay $175 million to 48 states, the District of Columbia and Puerto Rico to settle lawsuits and another $100 million in civil penalties to the Consumer Financial Protection Bureau.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” FTC Chairman Joe Simons said in a statement.
At the beginning of September almost two years ago, Equifax officially alerted the public about the mass cybersecurity intrusion, almost two months after it discovered it.
The breach — one of the most severe in U.S. history — included sensitive information, such as Social Security and driver’s license numbers and prompted swift condemnation from bipartisan lawmakers, agencies and consumers.
The thieves were able to access a company portal after Equifax failed to patch a security flaw that it knew about.
Following the breach, the Atlanta-based company’s stock tumbled and its CEO, Richard Smith, was ousted.
Last year, Congress passed legislation barring credit-reporting agencies from charging fees to freeze and unfreeze credit reports. Some lawmakers, including Sen. Elizabeth Warren, a 2020 presidential hopeful, have called for more robust FTC enforcement.