Equifax has agreed to pay up to $700 million to settle American investigations into a huge data breach two years ago, an amount that dwarfs the £500,000 fine imposed by Britain’s data protection watchdog.
Federal and state agencies said that Equifax “engaged in unfair and deceptive practices” in connection with the breach, which affected about 147 million people. It is one of the largest known breaches in terms of people affected.
Equifax, one of the “big three” credit reporting agencies alongside Experian and Trans Union, collects credit data on about 800 million people. The company revealed in September 2017 that its computer network had been hacked and information including names, addresses, dates of birth and social security numbers had been stolen. About 15 million accounts linked to UK residents were affected by the hack. In September last year, the UK Information Commissioner’s Office fined Equifax £500,000, the largest penalty it was allowed to impose. The agency is now able to impose larger penalties after a change in the law.
The US settlement was agreed with the Consumer Financial Protection Bureau, the Federal Trade Commission, 48 states, the District of Columbia and Puerto Rico. They accused Equifax of “failing to provide reasonable security for the massive quantities of sensitive personal information stored within its computer network, causing substantial injury to consumers whose data was stolen” and “deceiving consumers about the strength of its data security programme”.
Letitia James, the New York attorney-general, said: “Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk. This company’s ineptitude, negligence and lax security standards endangered the identities of half the US population.”
Joe Simons, chairman of the Federal Trade Commission, said: “Companies that profit from personal information have an extra responsibility to protect and secure that data. Equifax failed to take basic steps that may have prevented the breach.”
Mark Begor, chief executive of Equifax, said that the settlement was a “positive step”. In its last quarterly report, Equifax said that it had set aside $690 million to cover the penalties.
Equifax shares, down 2 per cent since the breach emerged, rose $0.74, or 0.6 per cent, at $138.04 by midday in New York, valuing the company at $16.7 billion.