TRENTON – Equifax has entered into a $600 million settlement agreement to resolve claims stemming from the massive 2017 data breach at the credit reporting agency, Attorney General Gurbir S. Grewal announced today. New Jersey co-led the multi-state investigation, which found that Equifax’s failure to maintain reasonable security measures enabled hackers to penetrate its systems and exposed data of most American adults in what is believed to be the largest-ever consumer data breach.
As part of the settlement, Equifax has agreed to create a Consumer Restitution Fund of up to $425 million. The company also must pay a total of $175 million in civil penalties to the participating states. In addition, Equifax has agreed to significantly strengthen its data security practices going forward.
New Jersey, which was part of a multi-state Leadership Committee that spearheaded the investigation, will receive $6.36 million of the civil penalties paid by Equifax.
“We all know that the troves of personal information housed in company databases are targets for criminal hackers,” said Attorney General Grewal. “So consumers should be able to feel confident that companies are taking appropriate steps to safeguard their data. Equifax failed its customers on a massive and unprecedented scale, and today it is paying the price. I am proud that our new Data Privacy and Cybersecurity Section played a leading role in bringing justice to the millions of New Jersey residents who were affected.”
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than half the U.S. population. The breach exposed the Social Security numbers, names, dates of birth, addresses, credit card numbers, and/or driver’s license numbers of more than four million New Jersey residents, and more than 147 million Americans nationwide.
Shortly after the breach was disclosed, a coalition of Attorneys General launched a multi-state investigation. The investigation found that Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information.
Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, intruders penetrated Equifax’s system and went unnoticed for 76 days.
Under terms of the settlement announced today, Equifax has agreed to establish a Consumer Restitution Fund of $300 million - with an additional $125 million available if the initial fund is exhausted. The company will also offer affected consumers extended credit-monitoring services for 10 years.
Consumers who are eligible for redress may submit claims online, by mail, or by telephone. Consumers can learn more about the Restitution Fund at
www.EquifaxBreachSettlement.com or at the toll-free number:
In addition to its settlement with the states, Equifax is agreeing to resolve class actions, as well as investigations by the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau.
Because consumers will not yet be able to submit claims through the existing link, the FTC has created a website that will collect consumer information and provide notice once the claims process is actually in motion.
That site is:
ftc.gov/equifax. The website will go live on Monday, and the page contains information designed to provide educational materials and Frequently Asked Questions specific to the Equifax settlement.
As a part of its settlement with the states, Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to:
- making it easier for consumers to freeze and thaw their credit;
- making it easier for consumers to dispute inaccurate information in credit reports; and
- maintaining sufficient staff dedicated to assisting consumers who may be victims of identity theft.
Equifax has also agreed as part of the settlement to strengthen its security practices going forward including, among other things:
- reorganizing its data security team;
- minimizing its collection of sensitive data and use of consumers’ Social Security numbers;
- performing regular security monitoring, logging and testing;
- employing improved access control and account management tools;
- reorganizing and segmenting its network;
- reorganizing its patch management team; and
- employing new policies regarding the identification and deployment of critical security updates and patches.
Deputy Attorney General Elliott M. Siebers, Section Chief in the Division of Law’s Data Privacy and Cybersecurity Section, Deputy Attorney General Carla Pereira, of the Government and Healthcare Fraud Section, former Deputy Attorney General Russell M. Smith, Jr. (formerly of the Consumer Fraud Prosecution Section) and former Deputy Attorney Labinot Berlajolli (formerly of the Government and Healthcare Fraud Section) handled the Equifax matter on behalf of the State.