Equifax announces $671 million settlement for 2017 hack

One of the largest data breaches in American history now has a price tag attached. Credit-monitoring giant Equifax announced a $671 million settlement with the Federal Trade Commission today over a 2017 breach that exposed more than 147 million Americans' personal and financial data.

Pending court approval, the deal would create a non-reversionary pot of $380.5 million that would be used by all three major credit-reporting companies (Equifax, Experian and TransUnion) to reimburse individuals who can prove they were victims of the breach. Equifax also agreed to pay an additional $1 billion for cybersecurity and data protection services and would need to kick an extra $125 million into the settlement pot if more than 7 million individuals sign up for credit monitoring. The remaining money would go toward fines to various regulatory bodies and legal fees for consumers who brought lawsuits.

Affected consumers will be able to request up to $20,000 for any expenses incurred as a result of the breach. They would also be eligible for seven years of free identity-restoration services and 10 years of free credit-monitoring services.

The settlement will cover more than 300 combined class-action civil lawsuits against the company as well as numerous investigations by the FTC, the Consumer Financial Protection Bureau, 48 states, Puerto Rico and the District of Columbia.

"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward from the 2017 cybersecurity incident and focus on our transformation investments in technology and security as a leading data, analytics and technology company," Equifax CEO Mark Begor said in a statement.

The 2017 hack and subsequent investigations that found major security lapses and "a culture of cybersecurity complacency" at Equifax led to outrage among the public and lawmakers. Many also took issue with the fact that several top executives at the company sold millions of dollars worth of personal shares of Equifax stock right before the incident was publicly disclosed.

So far, data stolen in the hack has not surfaced for sale on the dark web or any other known black marketplace, giving rise to suspicions that the attack may have been carried out by a state-backed entity seeking to use the information for intelligence purposes, not profit. Because the data has not surfaced, it may be nearly impossible for many individuals to prove they are eligible for reimbursement.

The breach has cost Equifax hundreds of millions of dollars, not just in potential settlement payouts but also for a range of new costs and heightened protections taken in the wake of the breach. In May, the company had its credit rating outlook downgraded by Moody's Investors Service, which cited the 2017 hack, expected settlements and increased annual costs for cybersecurity as among the primary reasons for the lower grade.

Although several lawmakers said they welcomed news of the settlement, it was not enough to temper their anger over the breach or shelve calls for additional oversight of Equifax and other credit agencies.

"Americans don't choose to have companies like Equifax collecting their data -- by the nature of their business models, credit bureaus collect your personal information whether you want them to or not," Sen. Mark Warner (D-Va.) said in a statement. "In light of that, the penalties for failing to secure that data should be appropriately steep. While I'm happy to see that customers who have been harmed as a result of Equifax's shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit-reporting agencies in order to make sure that this never happens again."

Sen. Ron Wyden (D-Ore.), who has proposed draft legislation that would direct the FTC to create mandatory minimum cybersecurity standards for companies like Equifax and implement a range of other consumer protections, called the hack "easily avoidable" and said market forces alone will not force companies like Equifax to better safeguard Americans' data.

"In a just world, these executives would be going to jail," Wyden said. "No one should be able to collect deeply sensitive information on 200 million people without their consent, treat it with reckless disregard and then just pay a fine when a predictable, easily avoidable hack takes place."