The Federal Trade Commission said in a statement Monday that Equifax has agreed to initially pay at least $575 million in fines as part of the settlement with the federal government and states over its “failure to take reasonable steps to secure its network” that led to the breach.
Hackers stole credit files on 147 millions Americans, but also British and Canadian nationals, including Social Security numbers, dates of birth, and thousands of payment card records in the May 2017 breach.
The company came under fire by congressional committees and security experts alike after it was found that Equifax had not properly rolled out publicly released patches on its network months prior to the data breach.
Former chief executive Richard Smith, who retired in the wake of the scandal, blamed the lack of patching on a single employee.
A House Oversight Committee later blamed institutional failings and said the breach was “entirely preventable.”
This marks the largest fine ever issued by the FTC following the $148 million fine handed to Uber following its own data breach. However, the fine amounts to as much as 20% of Equifax’s 2018 revenue of $3.41 billion. U.K. authorities already issued its maximum penalty of £500,000 — about $624,000 — under its since-replaced legislation. Under the new GDPR rules which had not come into effect at the time of the Equifax breach, the credit rating agency would’ve been liable for fines of up to 4% of its global annual turnover.
As part of the settlement, Equifax will also have to improve its data security going forward, said Joe Simons, FTC chairman, including designating staff to oversee its information security program.
Equifax will also have to undergo third-party assessments every two years.
A year after the breach was disclosed, the company was criticized for facing few consequences as a result of exposing its customers’ data, despite delays in disclosing the breach and bungling the response for consumers.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud,” said Simons.
When reached, Equifax spokesperson Wyatt Jefferies did not comment beyond a company statement.