Equifax Inc., which in 2017 sustained a data breach that potentially exposed sensitive information related to 148 million files, on Monday announced what that massive intrusion will cost the company. The Atlanta-based credit-reporting agency said it will pay $671 million as part of an agreement to settle multidistrict class-action litigation and probes by the Federal Trade Commission, the Consumer Financial Protection Bureau, the New York Department of Financial Services, and attorneys general for 48 states, the District of Columbia, and Puerto Rico.
The $671 million payment includes a fund of $380.5 million for affected consumers, $180.5 million for the state attorneys general, and fines totaling $100 million to the CFPB and $10 million to the NYDFS, according to a company 8-K filing.
The tab could go up from there. Equifax said it will pay up to $125 million more into the consumer fund if the initial sum is exhausted.
If approved by the U.S. District Court for the Northern District of Georgia, the multiple agreements will settle a class-action suit—Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800—filed on behalf of consumers, in addition to the multiple state and federal investigations, with the exception of the NYDFS case. The agreement with the state attorneys general is subject to court approval in the relevant jurisdictions. Equifax says in the 8-K it expects to begin making payments by the end of September.
“This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics, and technology company,” said Mark W. Begor, Equifax’s chief executive. “We have been committed to resolving this issue for consumers and have the financial capacity to manage the settlement …We are focused on the future of Equifax and returning to market leadership and growth.”
Equifax discovered the breach in July 2017 but waited two months to announce it publicly, stirring angry reactions from consumers and regulators. Included in the potentially exposed data were Social Security numbers and payment card account numbers. In the wake of the controversy that followed, then CEO Richard Smith retired and the chief information officer and the chief security officer resigned. Begor took over the company last year.
In June 2018, Equifax entered into a consent order with eight states that mandated it improve its data-protection methods.