50 Attorneys General Secure $600 Million From Equifax In Largest Data Breach Settlement In History

Settlement Includes $425 Million Consumer Restitution Fund; Potentially 350,000+ District Consumers Eligible for Relief

WASHINGTON, D. C. Attorney General Karl A. Racine today announced that Equifax will pay up to $600 million in restitution and penalties to resolve an investigation by 50 Attorneys General into a massive 2017 data breach. The coalition, which includes 48 states, the District of Columbia, and the Commonwealth of Puerto Rico, found evidence that Equifax’s failure to maintain reasonable security enabled hackers to access its systems and resulted in the largest-ever breach of consumer data. The breach exposed the personal information of 56 percent of American adults, including more than 350,000 District residents. Under the terms of the settlement, Equifax will set up a Consumer Restitution Fund of up to $425 million; pay $175 million payment to the states, including $4 million to the District of Columbia; strengthen its security practices; and work to assist consumers who are trying to prevent or recovering from identity theft.

“Today’s settlement holds Equifax accountable for its reckless failure to protect consumers’ personal information and for putting millions of Americans at risk for identity theft, financial losses, and other serious harms,” said AG Racine. “I encourage all District consumers to take steps to protect themselves from identity theft, including by regularly checking their credit report and freezing their credit. And if District consumers do become victims of identity theft, please contact the Office of the Attorney General for assistance.”

On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting 148 million consumers, including more than 350,000 of the District’s 700,000 residents. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.

Shortly after the breach was announced, a coalition that grew to 50 Attorneys General launched a multi-state investigation. AG Racine and ten other states Attorneys General led the investigation. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Equifax also failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.

Under the terms of the settlement, Equifax will:

  • Pay up to $425 million in restitution to consumers: Equifax will create a single Consumer Restitution Fund of up to $425 million, with $300 million dedicated to consumer redress and an additional $125 million if the initial amount is exhausted. While the claims process is not yet open, consumers will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Breach Settlement online registry at https://www.equifaxbreachsettlement.com/. Consumers can also visit ftc.gov/equifax or call the Federal Trade Commission (FTC) at 1-833-759-2982 for more information.
  • Provide 10 years of free credit monitoring: Equifax will provide 10 years of free credit monitoring to consumers who were impacted by this breach. Consumers will be able to sign up for credit monitoring when the claims process opens.
  • Pay $175 million in penalties to the states: Equifax will pay a total of $175 million to the states, including at least $4 million to the District of Columbia, for violating consumer protection laws and failing to protect consumers’ personal information.
  • Strengthen its security practices: Equifax will be required to minimize its collection of sensitive data and minimize its use of Social Security numbers and adopt best practices to strengthen security. These include performing regular security monitoring, logging, and testing; reorganizing and segmenting its networks; employing new policies around deploying critical security updates and patches; and reorganizing both its data security and patch management teams.
  • Assist consumers who are trying to prevent or recovering from identity theft: Equifax has agreed to assist consumers who are either facing identity theft issues or who have already had their identities stolen including by making it easier for consumers to freeze and thaw their credit; making it easier for consumers to dispute inaccurate information in credit reports; and maintaining a sufficient number of staff members dedicated to assisting consumers who may be victims of identity theft. 

The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the FTC and the Consumer Financial Protection Bureau.

In addition to the District of Columbia, other Attorneys General participating in this settlement include Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, and the Commonwealth of Puerto Rico.

Protecting Your Personal Information 
For information about steps you can take to protect your own sensitive and private information, visit OAG’s Consumer Protection Library here.

How to File a Consumer Complaint
Consumers can report data theft, scams, and unlawful or abusive business practices by calling OAG’s Office of Consumer Protection at (202) 442-9828, emailing consumer.protection@dc.gov, or submitting a complaint online using OAG’s Consumer Complaint Form.