LITTLE ROCK, Ark. — Arkansas is receiving $2.5 million as part of a settlement with the credit reporting agency Equifax over a 2017 data breach that exposed the Social Security numbers and other private information of nearly 150 million people.
Attorney General Leslie Rutledge said Monday Arkansas is receiving the money as part of Equifax’s $700 million settlement with the Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states, the District of Columbia and Puerto Rico.
The settlement includes a consumer restitution fund of up to $425 million. That money will go into a fund that will also reimburse people who purchased credit- or identity-monitoring services because of the 2017 data breach. The amount of the settlement could change depending on the number of claims still to be filed by consumers.
The deal also requires more changes to how Equifax handles private user data. For example, the company will have to adjust its information security protocols, including annual assessments of security risks and receiving the board’s certification attesting that the company has complied with the FTC’s order.
The FTC alleges Equifax violated the agency’s prohibition against unfair and deceptive practices. The FTC said Equifax failed to properly safeguard peoples’ personal information despite claiming in its privacy policy that it implemented “reasonable physical, technical and procedural safeguards” to protect their data.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach.”
The hack, the largest in US history, exposed sensitive information, including names, Social Security numbers, drivers’ license numbers and addresses.
Equifax first disclosed the hack in September 2017, three months after the company discovered the breach.
Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.
