Millions of people whose personal data was compromised by the credit-monitoring company Equifax can now get money from a $700 million settlement states and the federal government reached with the credit reporting bureau.
California and other states sued Equifax, arguing the credit agency exposed personal information of 147 million customers. Compromised data includes customer names, Social Security numbers, birth dates, addresses and some driver’s license numbers, according to Becerra’s office.
About 15 million Californians were affected, the largest share from any state, California Attorney General Xavier Becerra’s office said.
Customers’ data was compromised in a cyberattack from mid-May through July 2017, but the company only announced the breach in September of that year.
Neither the company nor government agencies have disclosed who was behind the data breach, but “state-sponsored” hackers are suspected, said TiTi Nguyen, the lead California Department of Justice attorney on the case.
The U.S. Department of Homeland Security told Equifax to install a critical fix for part of its software, but the company failed to and did not discover the cyberattack until four months after hackers breached the system, Nguyen said at a Monday news conference.
The settlement requires the company to give $425 million to affected customers, pay $175 million in penalties to states and make security improvements. Equifax will also have to pay $100 million in fines to the federal Consumer Financial Protection Bureau.
It’s the largest data breach settlement ever, said Stacey Schesser, supervising deputy attorney general for consumer affairs at the California Department of Justice.
Becerra’s office will receive $18.7 million to litigate future consumer protection cases as part of the state penalty payments.
Those whose data was extracted must be on the lookout for fraud and identity theft for the rest of their lives, Becerra said. He noted that Equifax is one of only three credit agencies in the U.S., and that customers don’t have a say in whether those agencies collect their data.
“These companies have an obligation to protect your and my private information,” he said at the Monday news conference. “If they collect it, they must protect it.”
Customers affected by the breach can seek cash reimbursement for time or money spent trying to fight or avoid fraud. The $425 million will also cover some reimbursement for Equifax credit monitoring and identity theft protection subscriptions.
Affected customers can also sign up for free credit monitoring services for up to 10 years or cash to cover a different credit monitoring service.
Equifax customers can learn more about the agreement on online at http://www.equifaxbreachsettlement.com or by calling the settlement administrator at 833-759-2982.
Equifax CEO Mark W. Begor said the company is committed to protecting customers’ data in the future. In addition to the settlement money, Equifax is spending $1.25 billion on a “technology and security investment program,” Begor said.