Atlanta-based consumer credit reporting agency Equifax has agreed to pay the State of Indiana $19.5 million to settle a class-action lawsuit, brought forward by the State’s Attorney General Curtis Hill. The lawsuit concerns the 2017 data breach that leaked a massive amount of data of more than 147 million Americans, including 3.9 million Indiana residents. The lawsuit claimed that Equifax failed to protect its residents’ social security numbers and other private information. As per the settlement, Equifax is also required to correct Indiana’s security deficiencies and safeguard consumer information in the future.
Indiana and Massachusetts are the two states that did not participate in a multistate settlement in July 2019 that announced up to a $700 million settlement with the U.S. Federal Trade Commission, Consumer Financial Protection Bureau, and 50 states and territories.
Overview of the Data Breach
In September 2017, Equifax disclosed that its databases were hacked between May and June 2017, and attackers gained access to the company’s data that compromised sensitive information for 147 million American consumers, including social security numbers, credit card numbers, and driver’s license numbers. Equifax discovered the breach on July 29, 2017, but waited until after the close of trading nearly six weeks later to disclose the breach to its consumers and investors, after hackers exfiltrated data for 76 days.
A Series of Lawsuits
Equifax recently settled similar claims with the U.S. Federal Trade Commission. As per the settlement, Equifax will pay $380.5 million as a penalty from where the class action members can withdraw up to $20,000 as compensation. Additionally, the company may also require spending $125 million for out-of-pocket claims. Class action members will also receive 10 years of free credit monitoring services from Equifax.
Also, earlier, in September 2018, Equifax was charged with a fine of £500,000 (US$660,000) by the Information Commissioner Office (ICO) for failing to protect the personal and financial data of customers. The ICO, which carried out the investigation, stated that the U.S. Department of Homeland Security warned Equifax about the vulnerabilities in its systems, in 2017. However, Equifax failed to take proper steps to fix the vulnerabilities.