Equifax signed a settlement for the lawsuits brought forward by the US Federal Trade Commission (FTC), state attorneys, and a class-action case in relation to the company’s 2017 data breach.
The security incident happened due to a failure to resolve a known security flaw in Apache Struts even though a patch was made available two months prior to the breach.
The security flaw allowed an attacker to access the credit monitoring company’s systems, leading to the theft of records of more than 146 million users.
The data stolen includes the names, dates of birth, Social Security numbers, phone numbers, email addresses, and driver’s license of the users.
The breach which could have been prevented was severe and was also a fault of the company in security prompted regulators made the affected people to take Equifax to task through the legal system.
The FTC has announced a settlement, according to which Equifax will need to pay at least $575 million, and potentially up to $700 million in damages. The settlement will resolve claims made by the FTC, the Consumer Financial Protection Bureau, a number of state attorneys, as well as a consumer-focused class-action lawsuit.
A per the proposed settlement, Equifax will pay $300 million into a fund to provide affected consumers with credit monitoring services. The fund will also be available for Equifax customers who bought credit or identity monitoring services from Equifax and paid other out-of-pocket expenses due to the 2017 security breach.
Equifax also agreed to supplement the fund with up to $125 million if the initial payment is not enough to compensate impacted consumers.
Besides, Equifax also agreed that with effect from January 2020 they will provide the users with six free credit reports every year for seven years. This will add to the existing free credit report that all consumers are entitled to receive.
And finally, Equifax will also pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the Consumer Financial Protection Bureau in civil penalties.
Equifax is yet to fully recover from the data breach. The firm’s chief executive, Richard Smith resigned, hundreds of millions of dollars have been spent on bearing security and securing cybersecurity insurance; company’s ratings outlook was affected; sales have declined and former employees who profited on the data breach have withdrawn at the company’s bad reputation.