As part of a settlement with the Federal Trade Commission (FTC), credit score agency Equifax has agreed to pay up to $700 million (£561m) for a data breach which saw the records of at least 147 million people exposed.

The FTC accused the company of failing to take “basic” steps to secure its network, which left it vulnerable to attack.

Around $300m of that figure has been earmarked to go towards paying for identity theft services and other related expenses run up by the victims. That number could increase to a maximum of $425m if needed to cover all the consumers’ costs.

The remaining sum will be portioned between 50 US states and territories with a penalty paid to the Consumer Financial Protection Bureau.

As well as financial reimbursement, the company will also provide all its US customers with six free credit reports every year for seven years.

For those US customers affected by the breach, the company will provide them with ten years of free credit monitoring. It has been estimated that if all 147 million members of the class-action claimants sign up for free credit monitoring, the cost to the company could be as much as $2 billion.

Lawyers for the claimants also said the company is required to spend at least $1 billion over the next five years on cybersecurity.

FTC’s chairman Joe Simons, said: “Equifax failed to take basic steps that may have prevented the breach. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

Mark Begor, Equifax chief executive, said: “This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident.”

The FTC stated that in addition to stealing information, the hackers also copied:

At least 147 million names and dates of birth

More than 145.5 million Social Security numbers

A total of 209,000 payment card numbers and expiration dates

Equifax has already been fined £500,000 by the UK’s Information Commissioner’s Office for failing to protect up to 15 million British consumer’s personal information during the same breach.

As part of the agreement the FTC said that Equifax had also agreed to:

Carry out its own annual audit of security risks

Submit to an external assessment of its security efforts once every two years

Ensure that third-parties are given access to personal data stored by the firm also have adequate

Data protection measures in place

Equifax will also have to roll-out an “aggressive” advertising campaign to ensure those entitled to compensation are aware of it. The campaign will be carried out via social media, radio, print and other various digital outlets.

Like this: Like Loading...