Equifax to pay up to $700m over data breach of 147 million consumer records

Consumers affected by the Equifax breach will be able to claim up to $20,000 each in compensation

Credit reference agency Equifax has agreed to pay as much as $700 million in fines and compensation in a settlement with US regulators over its 2017 data breach.

The breach compromised the records of up to 147 million consumers, including as many as 15.2 million UK consumers. The company had originally said that just 400,000 Brits were caught up in the security breach.

Affected consumers in the US will be able to claim up to $20,000 each in compensation from a fund of up to $425 million to be provided by Equifax. This is intended to take account of time spent by consumers dealing with the aftermath of the data breach at a rate of $25 per hour - up to a maximum of 20 hours - as well as fees paid to accountants or lawyers, and dealing with any subsequent identity theft.

In addition, anyone whose data was stolen will be able to claim a $125 one-off payment and to receive at least four-years of free credit monitoring, while Equifax will have to provide an additional six years of free monitoring of their Equifax credit report.

The company will also pay a $175 million fine to 48 US states, as well as the District of Columbia and Puerto Rico, plus $100 million to the US Consumer Financial Protection Bureau (CFPB). Total costs to the company could be as high as $700 million - depending on the administration of the $425 million consumer fund.

On top of all that, the company is required under the terms of the settlement to spend at least $1 billion improving its data security practices and procedures. In an official investigation into the security breach, the company was accused of a series of IT security control and process failings that facilitated the security breach.

Early on in the company's internal investigation, Equifax had pointed the finger of blame at an unpatched Apache Struts server that bosses claimed had left the the door open to the breach.

The company revealed in regulatory filings published in March 2018, around six months after the attack, that it had cost it at least $439 million. On top of that, the company's insurance won't cover more than $125 million of the losses.

The settlement revealed today is expected to resolve all outstanding claims in the US over the data breach, which is believed to have been carried out by a group connected with Chinese intelligence.

"Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk. This company's ineptitude, negligence, and lax security standards endangered the identities of half the US population," said New York attorney general Letitia James.

Security guru Bruce Schneier at the time suggested that the Equifax data breach indicated that IT security in the US required a Sarbanes-Oxley Act to make companies take IT security seriously.