July 22 (UPI) -- Credit reporting agency Equifax has agreed to pay at least $575 million over a data breach two years ago that affected nearly 150 million people, U.S. regulators said Monday.
Hackers discovered a vulnerability in Equifax servers in 2017 that opened access to login credentials and for two months mined data that included credit card numbers, drivers licenses and social security numbers.
As part of the settlement, Equifax will pay $300 million to provide consumers with credit monitoring services, compensate those who purchased credit or identity monitoring services and other out-of-pocket expenses. It will also provide U.S. consumers with six free credit reports a year and one annual credit report, for seven years. Equifax will pay $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million in civil penalties.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," FTC Chairman Joe Simons said in a statement. "Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.
"This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud."
Equifax CEO Mark Begor said the agreement reinforces the company's commitment to safeguarding information and recognizing the seriousness of the breach.
"This comprehensive settlement is a positive step for U.S. consumers and Equifax as we move forward," Begor said.