had exposed the personal financial data of 147 million people. This week the company struck a major deal with the Federal Trade Commission (FTC) that could result in a modest payout for impacted consumers.

, the settlement will result in Equifax paying between $575 and $700 million to settle charges brought by the FTC. $380 million of that total will be assigned to a Consumer Restitution Fund and doled out directly to consumers.

According to a settlement FAQ, it could take several months for impacted users to see payouts. There’s additional detail over at the FTC settlement website. Users can also contact the Equifax Settlement Administrator at 1-833-759-2982 or by emailing info@EquifaxBreachSettlement.com.

The FTC notes that the entire scandal could have been easily avoided.

Equifax waited 40 days before even announcing the company had been hacked. Motherboard reporting revealed that the company’s IT administrators had known about the vulnerability for months before the hack occurred, yet didn’t apply basic patches for at-risk systems.

The vulnerability was simple and easy to exploit. An Equifax website and ACIS database that was supposed to be for internal use only wound up being publicly exposed to the broader internet. A simple forced browsing attack provided access to social security numbers, full names, birthdates, and partial addresses of millions of Americans.

"I've seen a lot of bad things, but not this bad,” the security researcher told Motherboard. "It should've been fixed the moment it was found. It would have taken them five minutes, they could've just taken the site down.”

When executives did find out about the threat, many decided to cash in on the knowledge. Former Equifax Chief Information Officer Jun Ying, for example, was just sentenced to four months in prison for insider trading on the news of the breach before it was formally announced. Equifax manager Sudhakar Reddy Bonthu also pleaded guilty to insider trading on the news.