LITTLE ROCK, Ark. (News release) – Arkansas Attorney General Leslie Rutledge today announced a $2,521,481.31 settlement from Equifax for the largest-ever breach of consumer data, exposing the data of 56 percent of American adults. The investigation into the 2017 data breach found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems. Attorney General Rutledge and a coalition of 49 other Attorneys General, comprising 48 states, the District of Columbia, and the Commonwealth of Puerto Rico reached a settlement with Equifax.
“Arkansans trusted Equifax with their personal information as a means to track their credit scores,” said Attorney General Rutledge. “We are holding the company accountable for its failure to safeguard personal information.”
The coalition secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states, and injunctive relief, which also includes a significant financial commitment. The settlement fund for affected consumers will provide up to 10 years of free credit monitoring and identity theft services, and reimburse affected consumers for time and money spent trying to avoid or recover from identity theft.
Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen, including:
- Making it easier for consumers to freeze and thaw their credit and dispute inaccurate information in credit reports;
- Requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft;
- Restructuring its data security team and performing regular security monitoring, logging and testing;
- Minimizing its collection of sensitive data and the use of consumers’ social security numbers;
- Reorganizing and segmenting its network including employing improved access control and account management tools;
- Reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.
On September 7, 2017, Equifax announced a data breach affecting more than 147 million consumers. Breached information included social security numbers, names, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
Shortly after, a coalition that grew to 50 attorneys general launched a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.
Consumers who are eligible for restitution will be required to submit claims online, by mail, or by phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim, and file a claim by phone or online. To receive email updates regarding the launch of the Equifax Settlement Breach online registry, consumers can sign up at www.ftc.gov/equifax. Consumers can also call the FTC at (833) 759-2982 for more information.
Consumers who have been impacted by the breach can call the Arkansas Attorney General’s Office at 800-482-8982 or email Equifax@ArkansasAG.gov.
In addition to Arkansas, other Attorneys General participating in this settlement include Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin, Wyoming, and the District of Columbia. Also joining are Texas, West Virginia and the Commonwealth of Puerto Rico.