Equifax, the credit consumer reporting agency, will have to pay at least $650 million to resolve most claims stemming from the 2017 data breach that exposed the personal data of more than 147 million consumers, the New York Times reported. A federal judge in Atlanta approved the settlement on July 22. This is the largest data breach settlement thus far, surpassing the $148 million penalty Uber agreed to last year, BBC reported.

The settlement is the result of investigations by two US federal agencies, Consumer Financial Protection Bureau and Federal Trade Commission, and 48 state attorney generals. Massachusetts and Indiana sued the company separately; their suits haven’t been resolved yet.

The company had set aside $690 million last quarter to cover the potential costs. The current settlement figure of $650 million is roughly what the company earns in sales in a quarter. In 2018, the company earned $300 million on sales of $3.4 biliion.

Who is compensated?

  • Victims who lost money
  • People who suffered through the hassles of phone bank trees
  • Credit card customer service lines can bill Equifax $25 for their time

However, it is not clear who will be approved for compensation because their identities were stolen.

Terms of the settlement

According to settlement documents,

  • Almost half the amount, $300 million, will go to American consumers harmed by the breach; Equifax will add up to $125 million if this fund is depleted
  • Consumers who can show they suffered direct costs following the breach, will be eligible for restitution, capped at $20,000/person
  • $175 million in fines to end investigations 48 states, District of Columbia, and Puerto Rico, and $100 million to the CFPB, Reuters reported
  • Equifax will provide up to 10 years of free credit monitoring services to victims of the breach in the US; it is paying Experian, a competitor, to provide the service for first four years (settlement assumes that only 7 million people will sign up). Every million consumers who opt in will cost Equifax more than $16 million. If all 147 million victims of the breach opt in, it would cost Equifax more than $2 billion
  • Review of its security policies by a government-appointed third party
  • Equifax’s board must annually certify that it complied with the settlement terms, or be fined

Information for consumers will be posted at equifaxbreachsettlement.com, set up by the group that will handle claims.

What was the Equifax breach?

Equifax is one of the three largest credit bureaus in the US. Experian and TransUnion are the two others. In July 2017, Equifax discovered that attackers had been stealing information from company servers for 76 days. The company disclosed the breach after more than a month of discovery.

The FTC said that Equifax had been warned in March 2017 that one of its databases suffered from a critical vulnerability, BBC reported. The company failed to get the vulnerability patched and as a result, multiple hackers were able to exploit the flaw and steal consumers’ personal details.

The stock price of the company tumbled after the breach, but it has since recovered most losses.

The hackers reportedly copied:

  • At least 147 million names and dates of birth
  • About 145.5 million Social Security Numbers
  • 209,000 payment card numbers and expiration dates

It has been difficult to quantify the harm caused by the breach to consumers because cybersecurity experts have not seen the stolen data surface in online marketplaces where such stolen information is trafficked.

The UK’s Information Commissioner’s Office had already fined Equifax £500,000 for failing to protect the personal information of up to 15 million British citizens during the same attack.