- Settlement includes up to $425 million in consumer restitution following investigation into 2017 data breach
ALBUQUERQUE — Attorney General Hector Balderas has announced that a coalition of 50 Attorneys General has reached a settlement with Equifax as the result of its massive 2017 data breach.
The Attorneys General investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of more than half of all American adults—the largest-ever breach of consumer data.
The Attorneys General secured a settlement with Equifax that includes up to $425 million in consumer restitution, a $175 million payment to the states, and an injunction requiring significant improvements to Equifax’s business and data security practices. This is the largest data breach enforcement action in U.S. history, brining millions of dollars of restitution to New Mexican consumers and nearly $2.3 million to the State.
“My office will continue to hold powerful companies accountable and to safeguard the personal information of all New Mexican families,” Balderas said. “We must continue to be vigilant in protecting the privacy of all New Mexicans.”
On Sept. 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers, more than 860,000 of whom live in New Mexico. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
Shortly after, New Mexico helped launch and lead a multi-state Attorney General investigation into why the breach occurred and what could have been done to prevent it. The investigation into Equifax found an inadequate security program that failed to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems and failed to replace critical network monitoring software, essentially opening the door for the attackers. As a result, the attackers penetrated Equifax’s system and began stealing the information of millions, going unnoticed for more than two months.
Under the terms of the settlement, Equifax will provide a single Consumer Restitution Fund of up to $425 million—with $300 million dedicated to consumer redress. If the initial $300 million in the fund is exhausted, Equifax will be required to contribute up to an additional $125 million. The company must also offer affected consumers extended credit monitoring services for a total of 10 years, and must take steps to assist consumers who are either facing the threat of identity theft or who have already had their identities stolen.
Equifax must also significantly strengthen its security practices going forward, including strengthening its internal data security and patch management teams, minimizing its collection and use of sensitive information, increasing network monitoring and testing, improving access controls, and segmenting its network to thwart future attacks.