Equifax will pay at least $575 million in a settlement for a mammoth 2017 data breach that impacted more than 140 million people. According to an announcement by the Federal Trade Commission (FTC), this penalty could rise to as much as $700 million.

The Atlanta-headquartered consumer credit reporting company hit the spotlight back in September 2017, when it announced that personal details — such as the names, dates of birth, Social Security numbers, addresses, and more — of up to 147 million U.S. consumers were exposed to hackers between May and July of that year. According to the FTC, Equifax stored much of its customers’ confidential data — including social security numbers, network credentials, and passwords — in plain text.

It later emerged that Equifax was made aware of the security vulnerability relating to its one of its customer databases as early as March of that year but failed to patch it.

The FTC said in its report:

The FTC alleges that Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their personal credit data. Even though Equifax’s security team ordered that each of the company’s vulnerable systems be patched within 48 hours after receiving the alert, Equifax did not follow up to ensure the order was carried out by the responsible employees.

The settlement comes hot on the heels of a number of other high-profile data breach levies. Earlier this month, British Airways was slapped with a $230 million fine — a record under Europe’s GDPR laws — over a 2018 security breach that compromised the personal data of 500,000 customers. A day later, hotel giant Marriott was hit with a $123 million fine for similar breaches under GDPR regulations.

Breakdown

The Equifax settlement, which is with the FTC, Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories, will constitute $300 million to be used to fund credit monitoring services for affected consumers, as well as compensate those who bought credit or identity monitoring services as a result of the breach. A further $125 million has been put aside should the initial tranche not be enough. Equifax will also give all U.S. customers six free credit reports annually for seven years.

Moreover, Equifax will pay civil penalties of $175 million to 48 states, plus Washington, D.C. and Puerto Rico, and a further $100 million to the CFPB.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC chair Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

The FTC has also ordered Equifax to implement a “comprehensive information security program,” including carrying out annual assessments of security risks, in addition to other measures, such as obtaining certifications each year to verify that the company is complying with the order.