The credit bureau Equifax has agreed to pay up to $700 million to settle federal and state charges stemming from a 2017 security breach that exposed personal data of nearly 150 million people, the Federal Trade Commission said Monday.
The settlement requires Equifax to pay between $300 million and $425 million to a fund that will provide consumers with credit monitoring, and will reimburse consumers who incurred expenses due to the data breach. The company also will provide all U.S. consumers with six free credit reports a year for the next seven years.
Equifax “engaged in a number of practices that, taken together, failed to provide reasonable security for the massive quantities of sensitive personal information stored within defendant’s computer network,” the FTC alleged in a complaint unveiled Monday.
Among other security lapses, Equifax allegedly stored consumers' social security numbers and credit card account numbers in plain text, according to the FTC's complaint.
The FTC also alleged that Equifax was alerted to a security vulnerability in March of 2017, but didn't patch the network until July of that year. In the interim, hackers obtained names and dates of birth for 147 million people, social security numbers for 145.5 million people, email addresses for 17.6 million people, and 209,000 credit card numbers and expiration dates, among other personal data.
“The attackers were able to steal a staggering amount of personal information due to a series of basic security failures,” the FTC alleged.
The settlement also calls for Equifax to pay $175 million to 48 states, the District of Columbia and Puerto Rico, and $100 million to the Consumer Financial Protection Bureau.
Some lawmakers on Monday renewed calls for new privacy laws in light of the facts surrounding the data breach.
“For years, Equifax compiled dossiers on American consumers on a massive scale and then played fast and loose with that data,” Sen. Ed Markey (D-Massachusetts) stated Monday. “This settlement is far from an adequate solution to our society’s data broker problem, and we have to do much more to stop the next breach before it happens.”
He added that he plans to reintroduce legislation that would allow consumers to prevent their information from being sold by data brokers for marketing purposes.
Sen. Amy Klobuchar (D-Minnesota) added that the settlement may help compensate people affected by the Equifax hack, but doesn't “address the broader problem of lax data security.”
Klobuchar, who proposed privacy legislation earlier this year, said Congress should “ensure that a breach of this magnitude never happens again.”