Credit reporting agency Equifax Inc. has agreed to pay up to $700 million in compensation in a settlement with the U.S. Federal Trade Commission over its infamous 2017 hack.

The settlement, which covers all lawsuits by federal and state regulators as well as a class-action case against the company, will result in Equifax paying out at least $575 million in compensation but up to $700 million depending on claims.

About $300 million of the settlement is being dedicated to a fund that will provide affected costumers with credit monitoring services and to compensation for customers who purchased credit reporting services and paid other out-of-pocket services as a result of the hack and data theft. A further $125 million will be made available should the $300 million not cover consumer claims. Under the deal, Equifax will also provide all U.S. consumers with six free credit reports each year for seven years in addition to the one free annual credit report that Equifax currently provides.

Some $175 million more will be paid out to the 48 states, Washington D.C. and Puerto Rico, which filed suit against the company while $100 million will be paid in penalties to the Consumer Financial Protection Bureau.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said in a statement today. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

The settlement puts to bed a sordid tale that started with the company’s admission that it had been hacked in September 2017, saying that the records of 143 million people had been stolen, later revising that figure to 146.6 million. Worse still, company insiders were given a heads-up about the hack before the details were made public and attempted to profit from the news. Former Equifax Senior Vice President Jun Ying was jailed for four months June 30 for insider trading.

The $700 million settlement comes in addition to the millions of dollars that the company has already paid in legal, remediation, insurance and investigation costs, Anurag Kahol, chief technology officer at cloud access security  broker Bitglass Inc., told SiliconANGLE.

“In reality, Equifax should consider itself lucky that this breach occurred before data privacy regulations like GDPR and CCPA [the California Consumer Privacy Act] came into effect,” Kahol said. “With respect to GDPR, we’re beginning to see massive fines levied against companies like Marriott and British Airways.”

Moreover, he noted, CCPA, which is set to take effect in January 2020, calls for fines of $100 to $750 per consumer per incident or actual damages, whichever is greater. “This means that Equifax could have been subjected to fines totaling more than $110 billion had CCPA been in effect at the time of this breach,” he said

The Equifax breach was articulated as a “failure to patch,” but the reality is the security failures were far more broad, noted Chris Kennedy, chief information security officer and vice president of customer success at automated validation platform AttackIQ Inc.

“Poor IT governance, vulnerability discovery, application architecture, identity and privileged access management and other factors led to 147 million consumers’ highly sensitive records being exfiltrated,” Kennedy explained. “Because the company was not practicing continuous monitoring of its IT environment combined with a failure to validate security controls on an ongoing basis, hackers had access to its system for 76 days without detection.”

Kennedy added that simply investing in more cybersecurity tools is useless unless companies can be sure that those tools are effective. “Case in point, Equifax shared that between 2014 and 2017, it spent $250 million on cybersecurity investments — yet still suffered one of the worst data breaches of all time,” he said.

Image: Pixabay