RICHMOND, Va. — Attorney General Mark R. Herring on Monday announced that a coalition of attorneys generals settled with Equifax as the result of an investigation into a massive 2017 data breach.
The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of 56 percent of American adults—the largest-ever breach of consumer data.
The attorney general's investigation found that despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. It also failed to replace software that monitored the breached network for suspicious activity.
The attackers penetrated Equifax’s system, and it went unnoticed for 76 days.
The settlement includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, which includes $4,302,173.75 for Virginia, and injunctive relief, which also includes a significant financial commitment.
“More than 4 million Virginians had their personal information compromised by Equifax’s negligence and failure to implement adequate security programs,” said Attorney General Herring. “I hope this settlement sends a message to companies nationwide that my colleagues and I will not tolerate their failure to keep consumers information protected and private. While this settlement puts Virginians who have been affected by the data breach one step closer to being made whole, consumers need to remain vigilant regarding their data, including monitoring their credit card and bank statements as well as credit reports.”
Equifax has agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including. The steps include making it easier for consumers to freeze and thaw their credit, consumers can easily dispute inaccurate information in credit reports and requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has agreed to strengthen its security practices going forward, including:
- reorganizing its data security team;
- minimizing its collection of sensitive data and the use of consumers’ Social Security numbers
- performing regular security monitoring, logging, and testing
- employing improved access control and account management tools
- reorganizing and segmenting its network
- reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
Consumers who are eligible for redress will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone.
Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement Breach online registry.
Consumers can also call the settlement administrator at 1-833-759-2982 for more information.
The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.