Attorney General Raoul $600 million settlement with Equifax
Raoul Leads 50 AGs in Largest Data Breach Settlement in History That Includes up to $425 Million in Consumer Restitution
7/22/2019, 8:17 p.m.
Attorney General Kwame Raoul announced a $600 million settlement with Equifax that resolves a nationwide investigation into consumer reporting agency Equifax. Raoul’s office led a coalition of 50 attorneys general investigating Equifax’s 2017 data breach, and the settlement represents the largest data breach settlement in history.
Raoul’s office opened the multistate investigation in September 2017 following the massive data breach. The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of 56 percent of American adults and making it the largest-ever breach of consumer data. Raoul’s settlement with Equifax includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states that includes more than $7.3 million for Illinois, and injunctive relief that also includes a significant financial commitment.
“The Equifax data breach compromised the personal information of millions of Illinoisans,” Raoul said. “This historic settlement should send the message that companies – particularly those tasked with protecting personal information – will be held accountable for not doing enough to keep consumers’ sensitive, personal information secured.”
On Sept. 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers – nearly half of the U.S. population. In Illinois alone, an estimated 5.4 million residents were impacted. Compromised information included names, social security numbers, dates of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
Shortly after, Raoul led a coalition that grew to 50 attorneys general in a multistate investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to patch its systems fully. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, attackers penetrated Equifax’s system and went unnoticed for 76 days.
Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million dedicated to consumer restitution. If the initial $300 million is exhausted, Equifax will pay up to an additional $125 million into the fund to cover remaining claims. The restitution program will be conducted in connection with settlements that have been reached in separate multi-district class action lawsuits filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau. The settlement also requires Equifax to offer affected consumers extended credit monitoring services for 10 years.
A website has been established to accept claim forms and administer the settlement fund. That website, www.EquifaxBreachSettlement.com, will go live in the coming days as the settlement must be approved by the judge before the administrator can accept consumer claim forms. If consumers wish to be notified when the breach settlement website begins accepting claims against the settlement fund, they can go to https://www.ftc.gov/equifax-data-breach and submit their email addresses. This site, run by the Federal Trade Commission, will notify consumers who submit their email address when claims begin being accepted. For questions about eligibility for restitution, filing a claim, enrolling in credit monitoring, or additional information, people should visit www.EquifaxBreachSettlement.com or they can also call 1-833-759-2982. Individuals will be able to submit claims on the website or by mail.