Equifax on Monday has agreed to pay up to $700 million to settle federal and state investigations into its massive 2017 data breach, which exposed about 45% of the U.S. population to fraud.
As part of its deal with the Federal Trade Commission, Equifax will pay at least $300 million — and up to $425 million — to reimburse people that paid for credit and identity-monitoring services due to its data breach. Another $175 million will be paid to all 50 states, as well as the District of Columbia and Puerto Rico, along with $100 million in penalties that will be paid to the Consumer Financial Protection Bureau.
The hack, which first came to light in September 2017, compromised the social security numbers, addresses, drivers license numbers and birth dates of 145 million Americans. Altogether, the credit services company is paying less than $5 per person affected by its data leak.
Full details of the settlement can be found at equifaxbreachsettlement.com, a website set up by the group that will handle claims.
Former Equifax CEO Richard F. Smith, during a trip to Congress that same year, blamed the data breach on “human error,” where an unnamed employee failed to patch its security system, despite the fix being available for months before the hack.
Equifax’s deal with the FTC also requires it to make a number of changes to its security protocols.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” FTC Chairman Joe Simons said in a statement on Monday.
Equifax’s stock climbed about 1% in early trading to $138.45 per share.