Credit monitoring firm Equifax has agreed to pay up to $700 US million in fines and penalties to settle with various U.S. regulatory bodies over the massive data breach that saw the personal information of almost 150 million people stolen in 2017.
Canadian victims aren't covered by that figure.
The Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and various state-level regulatory bodies announced the settlement on Monday morning, a move that brings an end to investigations from various levels of the U.S. government into the matter.
In September 2017, the company revealed that it had become the victim of one of the largest data thefts on record, with names, credit card numbers, social security numbers and other information stolen by a group of criminals that have yet to be identified.
The number of victims ballooned to 147 million people worldwide, including 19,000 in Canada. The hackers had access to the data for almost three months before the company realized it.
Under the terms of the settlement revealed Monday, the company will pay a $175 million fine to the states and $100 million to the CFPB. It will also establish a $300 million fund to compensate victims which could climb to $425 million depending on how many customers use it.
Affected consumers will also be eligible for 10 years of free credit monitoring from Equifax, and the company agreed to make it easier for consumers to freeze their credit or dispute inaccurate information in credit reports.
The company has also agreed to bolster its security practices and have its policies assessed regularly by a third party.
"Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers," FTC chair Joseph Simon said.
"This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.
The total bill for the fiasco adds up to $700 million US, but Canadian victims aren't covered by that figure.
Officials at the agencies confirmed at a press event on Monday that while Canadians will benefit from the operational changes that Equifax has been mandated to perform to its business, they are not entitled to the financial compensation outlined on Monday.
Canada's Privacy Commissioner investigated the issue and found Equifax's response to be "lacking" and the company has agreed to a compliance agreement with the watchdog to ensure the company maintains better security practices moving forward. But no similar compensation fund for Canadian victims has been set up.