is nearing a deal to settle a slew of state and federal investigations into a 2017 data breach that exposed nearly 150 million Americans’ Social Security numbers and other sensitive personal information.
Under the agreement, the credit-reporting firm would pay around $700 million to settle with the Federal Trade Commission, the Consumer Financial Protection Bureau and most state attorneys general, according to people familiar with the matter. The deal would also resolve a nationwide consumer class-action lawsuit, they said.
The settlement could be announced as soon as Monday, the people said. The amount Equifax ultimately pays could shift based on the number of consumer claims that are eventually filed, they added.
The deal would clear a cloud that has hung over Equifax since it revealed in September 2017 that hackers had penetrated its systems and gained access to consumers’ names, Social Security numbers, birth dates and addresses.
The hack, among the biggest consumer-data breaches, exposed big security flaws at one of the nation’s largest credit-reporting firms and raised cybersecurity alarms among consumers and policy makers alike. Hackers were able to work their way into Equifax’s systems through a software flaw the company had neglected to patch. A malfunctioning scanning tool, meanwhile, allowed hackers to roam undetected in the company’s network for months.
The backlash was swift. Within weeks, the company’s long-serving chief executive retired. State and federal officials launched a spate of investigations. Lawmakers excoriated Equifax executives for waiting six weeks to disclose the hack after it detected suspicious activity and raised questions about how it handles the troves of consumer data it collects.
Equifax and the two other major credit-reporting firms,
compile lengthy financial dossiers on hundreds of millions of Americans that include their credit accounts and repayment histories.
They also have access to addresses, Social Security numbers and other information necessary to apply for credit. Those personal details are what the hackers stole.
The breach highlighted how little control consumers have over their personal data and how it is shared. Much of Equifax’s revenue comes from the credit reports and other products it sells to lenders, which use the information to evaluate potential borrowers. Unlike hacks that have affected consumers who shop at particular merchants or use certain websites, the Equifax breach affected millions of people who never dealt directly with the company.
The settlement would establish a fund to compensate consumers for harm suffered because of the breach, according to people familiar with the matter. A website and call center would be set up to handle the claims, one of the people said.
The settlement would also require Equifax to make additional changes to how it handles and protects consumer data, the people said. The company is on track to spend some $1.25 billion shoring up its security systems and upgrading technology. Regulators in several states last year ordered the company to strengthen its information-security defenses, patches and disaster-response protocols.
Equifax is still working to recover from the hack nearly two years after it was disclosed. New product sales to U.S.-based lenders are lagging, as are sales of its consumer products. The company suspended stock buybacks and froze its dividend in 2017 to prepare for a potential settlement. In a May securities filing, Equifax said it had set aside $690 million to cover expenses pertaining to investigations and lawsuits. Chief Executive Mark Begor told analysts that month that a global settlement was in the works that would cover “many of the significant issues facing the company.”
The breach heightened congressional scrutiny of the credit-reporting industry. Congress passed legislation last year barring credit-reporting firms from charging fees to freeze and unfreeze credit reports.
Some lawmakers have called for tighter requirements on credit-reporting firms to fix inaccuracies in credit reports.
At a House Financial Services Committee hearing earlier this year, Equifax Chief Executive Mr. Begor said the company has taken steps since the breach to help consumers more easily access and fix errors on their credit reports.
“Our culture is shifting,” said Mr. Begor, who testified alongside TransUnion and Experian executives.
—Corinne Ramey contributed to this article.
Write to AnnaMaria Andriotis at email@example.com
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the July 20, 2019, print edition as ‘Equifax Nears $700 Million Settlement in Data Breach.’