Equifax, Inc., $575,000,000
Equifax, one of the three US consumer credit bureaus, agreed to pay up to $700 million in connection with its 2017 breach that exposed personal information of ~147 million Americans.
Case identifiers
- Respondent
- Equifax, Inc.
- Agency
- FTC, CFPB, 50 States, and DC
- Announced
- 2019-07-22
- Monetary relief
- $575,000,000
- Statutes cited
- FTC Act § 5 · Gramm-Leach-Bliley Act · Fair Credit Reporting Act · State UDAP laws
Key facts
- 1
Breach exposed Social Security numbers, birth dates, addresses, and drivers license numbers of 147 million Americans.
- 2
Root cause was an unpatched Apache Struts vulnerability, known and patched upstream months before Equifax exploitation.
- 3
$300 million consumer redress fund plus $125 million contingent fund; up to $275 million additional could be paid.
- 4
$175 million to 48 states, the District of Columbia, and Puerto Rico; $100 million CFPB civil penalty.
What the order requires
Injunctive terms imposed by the FTC, CFPB, 50 States, and DC. These bind Equifax, Inc.'s data practices going forward.
- Free credit monitoring for affected consumers.
- Required annual compliance audits for seven years.
- Creation of a comprehensive information security program with designated CISO.
- Restrictions on the collection and storage of Social Security numbers.
Primary sources
Read the original government documents. These are the authoritative records, everything on this page is derived from them.
- FTC, CFPB, 50 States, and DC press releasehttps://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach
Equifax, Inc. on OfflistMe
Exercise your rights now
Generate a deletion request for $5
The multi-state order binds Equifax, Inc.'s future practices, but doesn't automatically delete your existing data. State privacy law (CCPA, CPA, TDPSA, VCDPA) gives you that right. OfflistMe generates a compliant deletion email pre-addressed to Equifax, Inc.'s registered privacy contact.
Start for $5 →FAQ
What did the multi-state charge Equifax, Inc. with?+
Equifax, one of the three US consumer credit bureaus, agreed to pay up to $700 million in connection with its 2017 breach that exposed personal information of ~147 million Americans. The FTC, CFPB, 50 States, and DC cited FTC Act § 5, Gramm-Leach-Bliley Act, Fair Credit Reporting Act, State UDAP laws.
How much did Equifax, Inc. pay?+
Equifax, Inc. paid $575,000,000 in monetary relief, announced on 2019-07-22. The settlement also imposed injunctive terms (see below).
Does the Equifax, Inc. settlement mean my data has been deleted?+
No, the order does not automatically delete your data. You retain full rights under state privacy law (CCPA, CPA, TDPSA, VCDPA, and others) to submit your own deletion request. OfflistMe can generate a compliant deletion email pre-addressed to the respondent’s privacy contact.
How can I read the original multi-state order?+
The FTC, CFPB, 50 States, and DC press release is available at https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach.