Beshear: 50 Attorneys General Secure $600 Million from Equifax in Largest Data Breach Settlement in History

Up to $425 million in consumer restitution following investigation into 2017 data breach

FRANKFORT, KY. (July 22, 2019) – Attorney General Andy Beshear today announced that a coalition of 50 attorneys general, has reached a settlement with Equifax as the result of an investigation into a massive 2017 data breach.

The investigation found that Equifax’s failure to maintain a reasonable security system enabled hackers to penetrate its systems, exposing the data of 56 percent of American adults – the largest-ever breach of consumer data.

The attorneys general secured a settlement with Equifax that includes a Consumer Restitution Fund of up to $425 million, a $175 million payment to the states and injunctive relief, which also includes a significant financial commitment. This is the largest data breach enforcement action in history.

“Our top priority was to make sure the nearly 1.9 million Kentuckians who had their personal data exposed in this breach have access to the Consumer Restitution Fund and extended credit monitoring services,” Beshear said. “We have also made sure that Equifax takes proper responsibility for their actions by implementing stronger data security procedures.”

On Sept. 7, 2017, Equifax, one of the largest consumer reporting agencies in the world, announced a data breach affecting more than 147 million consumers – nearly half of the U.S. population. Breached information included Social Security numbers, names, dates of birth, addresses, credit card numbers and in some cases, driver’s license numbers.

Shortly after, a coalition that grew to 50 attorneys general launched a multi-state investigation into the breach. The investigation found that the breach occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information. Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems. Moreover, Equifax failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.

Under the terms of the settlement, Equifax agreed to provide a single Consumer Restitution Fund of up to $425 million – with $300 million dedicated to consumer redress. If the $300 million is exhausted, the fund can increase by up to an additional $125 million. The company will also offer affected consumers extended credit-monitoring services for a total of 10 years.

Equifax has also agreed to take several steps to assist consumers who are either facing identity theft issues or who have already had their identities stolen including, but not limited to, terms:

·         making it easier for consumers to freeze and thaw their credit;

·         making it easier for consumers to dispute inaccurate information in credit reports; and

·         requiring Equifax to maintain sufficient staff dedicated to assisting consumers who may be victims of identity theft.

Equifax has also agreed to strengthen its security practices going forward, including:

·            reorganizing its data security team;

·            minimizing its collection of sensitive data and the use of consumers’ Social Security numbers;

·            performing regular security monitoring, logging and testing;

·            employing improved access control and account management tools;

·            reorganizing and segmenting its network; and

·            reorganizing its patch management team and employing new policies regarding the identification and deployment of critical security updates and patches.

Equifax also agreed to pay the states a total of $175 million, which includes an agreement to send nearly $1.4 to Kentucky’s general fund.

Consumers who are eligible for redress will be required to submit claims online or by mail. Paper claims forms can also be requested over the phone. Consumers will be able to obtain information about the settlement, check their eligibility to file a claim and file a claim on the Equifax Settlement Breach online registry. To receive email updates regarding the launch of this online registry, consumers can sign up at Consumers can also call the settlement administrator at 1-833-759-2982 for more information.

The program to pay restitution to consumers will be conducted in connection with settlements that have been reached in the multi-district class actions filed against Equifax, as well as settlements that were reached with the Federal Trade Commission and Consumer Financial Protection Bureau.

Since taking office Beshear has made it a priority to protect Kentucky families.

Earlier this month, Beshear said he was sending more than $50,000 to the state’s general fund following a multi-state settlement with Premera Blue Cross over its alleged failure to secure the sensitive data of nearly 38,000 Kentuckians.

In May, Beshear announced the state’s general fund would receive more than $25,000 following the court’s approval of a consent judgment with a health records companies over a 2015 data breach. Allegedly, the breach compromised the data of 69,000 Kentuckians, including 33,000 Social Security numbers.

Beshear announced in January that his office was part of a multi-state settlement that lead the Neiman Marcus Group LLC to pay Kentucky’s general fund more than $17,000 after a 2013 data breach.

To date, settlements and civil litigation from Beshear’s consumer protection efforts have returned over $16 million to the Commonwealth’s general fund. These actions have yielded restitution that could exceed more than $95 million, representing amounts paid to consumers or amounts Kentuckians are eligible to receive, and the value of credits, student loan debt relief and warranty extensions.

Register for our Birthday/Anniversary Club!!