News Releases
Media > News Releases > July 2019 > Attorneys General Secure $600 Million from Equifax in Largest Data Breach Settlement in U.S. Histor

News Releases

Attorneys General Secure $600 Million from Equifax in Largest Data Breach Settlement in U.S. History

7/22/2019

(COLUMBUS, Ohio) — Ohio Attorney General Dave Yost today announced that a multistate coalition of attorneys general, led in part by Ohio, has reached a settlement with Equifax following an investigation into its massive 2017 data breach.

The investigation found that Equifax’s failure to maintain reasonable security systems enabled hackers to penetrate its systems, exposing the data of more than 147 million consumers – the largest breach of consumer data in United States history.

“Today’s constant threat of cybercrime leaves no room for stewards of the public’s data to ignore security flaws,” Yost said. “Equifax knew about its vulnerability for months ahead of the breach but did nothing to plug the gap in its defenses. A swift response could have prevented this whole ordeal.”

The historic settlement includes a consumer restitution fund of up to $425 million and a $175 million payment to the states, with at least $7.14 million going to Ohio. The settlement also includes measures that aim to protect consumers’ information in the future.

On Sept. 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting nearly half of the U.S. population. Breached information included Social Security numbers, names, dates of birth, addresses, and, in some cases, credit card and driver’s license numbers.

Shortly after, a 47-state investigation found the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to patch its systems, allowing outside actors to access the personal information. Additionally, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attack went unnoticed for 76 days.

Under the terms of the settlement, Equifax agreed to provide a single consumer restitution fund of up to $425 million, with $300 million dedicated to consumer redress, and up to an additional $125 million if the $300 million is exhausted. The restitution fund will be managed in connection with settlements from class action lawsuits filed against Equifax, as well as settlements reached with the Federal Trade Commission and Consumer Financial Protection Bureau. The company also will offer affected consumers extended credit-monitoring services for at least 10 years.

Consumers who are eligible for restitution will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry. To receive email updates regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax-data-breach. Consumers can also call the settlement administrator at 1-833-759-2982 for more information.

Equifax also has agreed to terms that will help consumers who are facing identity theft issues, including:

  • Making it easier for consumers to freeze and thaw their credit.
  • Making it easier for consumers to dispute inaccurate information on credit reports.
  • Requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Additionally, Equifax has agreed to strengthen its security practices in hopes of better protecting consumers’ information going forward by:
  • Reorganizing its data security team.
  • Minimizing its collection of sensitive data and the use of consumers’ Social Security numbers.
  • Performing regular security monitoring, logging and testing.
  • Employing improved access control and account management tools.
  • Reorganizing and segmenting its network.
  • Reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
In addition to Ohio, the other 46 attorneys general who conducted the multistate investigation and who are participating in the settlement include: Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, and Washington D.C. Also joining in today’s settlement are Texas, West Virginia and Puerto Rico.
 

MEDIA CONTACT:
David O'Neil: 614-728-6069

–30–