Shapiro: Equifax to pay up to $700M in data breach settlement

Photo credit Mike Stewart/AP, file
HARRISBURG, Pa. (KYW Newsradio) — Pennsylvania Attorney General Josh Shapiro has secured a $600 million settlement with Equifax, the credit reporting agency whose massive 2017 data breach exposed the personal information of millions of Americans. 

Shapiro, who led an investigation that included 49 other attorneys general, made the announcement Monday morning during a conference call.

He said Equifax will shell out $425 million to reimburse consumers for money lost through identity theft, the cost of credit monitoring, and even time spent on hold with credit bureaus trying to freeze their accounts. Equifax will pay another $175 million payment to the states, plus a $100 million civil money penalty, totaling $700 million in all.

"This is the largest data breach settlement in United States history," he said. "Identities were stolen, Social Security numbers were taken to the dark web for purchase, and hours of time were wasted on the phone with consumers trying to freeze their credit."

The data breach, which Equifax announced in September 2017, affected 56 percent of Americans, approximately more than 147 million. Names, dates of birth, addresses, credit card numbers, and some driver’s license and passport numbers were also revealed in the breach.

Shapiro's investigation found that Equifax "failed to implement an adequate security program" and "failed to fully patch its systems." It also did not replace its software that monitored the breached network, leaving it vulnerable to attackers who went unnoticed for 76 days.

"Equifax has also agreed to provide 10 years of (free) consumer monitoring, and a consumer assistance process that will provide resources for consumers for fraud alerts or security freezes on their credit files," Shapiro added.

If consumers choose not to enroll in the free credit monitoring, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.

Among other measures, Equifax has agreed to strengthen its security practices and minimize the collection of sensitive data, including the use of consumers' Social Security numbers. Of its payments to the states, $7.3 million will go to Pennsylvania.

Shapiro added: "If you put your profits over the well-being of your consumers and the security of their sensitive information, we will hold you accountable."


The Associated Press contributed to this report. © Copyright 2019 The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.