The credit bureau Equifax is expected to pay around $650 million to settle federal and state investigations and consumer claims relating to a data breach that exposed sensitive information belonging to at least 145 million people, according to two people familiar with the settlement discussions.

The breach, which Equifax revealed in September 2017, included Social Security and driver’s license numbers and was one of the most severe exposures of Americans’ personal data. It drew widespread condemnation from lawmakers, law enforcement agencies and consumers. It also prompted the abrupt departure of Equifax’s chief executive and sent the company’s stock price tumbling, though it has since made back most of its losses.

[The settlements were announced on Monday: Equifax will pay at least $650 million.]

A $650 million payment would be in line with what the company expected. In a recent financial filing, Equifax said it had set aside $690 million to cover the anticipated legal costs of the hacking. It has also spent hundreds of millions of dollars on improving its technology systems and on free credit report monitoring services for those affected by the breach.

Attackers siphoned data out of Equifax’s computer systems over the course of months, through a known software vulnerability that inadvertently went unpatched. Who stole the data remains unknown — the company and law enforcement officials have not publicly attributed the crime, and cybersecurity experts have not seen the data surface in the kinds of online forums where stolen personal data is often bought and sold.