SALEM — Oregon will receive $2.8 million as part of a settlement with the credit monitor Equifax after an enormous 2017 data breach affected nearly 1.8 million Oregonians.
The settlement, announced Monday, was between Equifax and 48 states, the District of Columbia and Puerto Rico.
The agreement also settles ongoing investigations by the Federal Trade Commission and the federal Consumer Financial Protection Bureau.
About $175 million of that is going to the states and territories, while up to $425 million will go to redress consumers’ losses and for credit monitoring.
Equifax is also paying a $100 million fine to the Consumer Financial Protection Bureau.
The breach affected about 147 million people, compromising their Social Security numbers, birth dates, addresses, credit card numbers and for some, their driver’s license numbers.
“These self-described ‘stewards’ of our data turned out to be incredibly careless with Oregonians’ personal information and let down consumers — who had no choice about providing access to their data in the first place — in a big, big way,” Rosenblum said in a statement Monday.
Equifax is offering extended credit monitoring for those affected by the breach for 10 years, according to the state Justice Department.
Equifax denies “any wrongdoing whatsoever,” according to the settlement agreement, filed Monday in a U.S. District Court in Georgia.
But Rosenblum’s office said the breach “occurred because Equifax failed to implement an adequate security program to protect consumers’ highly sensitive personal information.”
“Despite knowing about a critical vulnerability in its software, Equifax failed to fully patch its systems,” Rosenblum said. “Equifax also failed to replace software that monitored the breached network for suspicious activity. As a result, the attackers penetrated Equifax’s system and went unnoticed for 76 days.”
Oregonians and others affected by the breach will have access to a $300 million fund to redress their losses through restitution and credit monitoring. If that amount is exhausted, up to another $125 million will be available.
The company has agreed to beef up its security protocols in the future.
The $2.8 million for Oregon goes to the Justice Department’s Consumer Education and Protection Account to help pay for the department’s work on behalf of the state’s consumers.
The breach, announced by Equifax in September 2017, prompted an outcry on Capitol Hill, where U.S. Rep. Greg Walden, R-Ore., at the time the chair of the House Energy and Commerce Committee, made headlines for questioning the former Equifax CEO.
“How could a major U.S. company like Equifax, which holds the most sensitive and personal data on Americans, so let them down?” Walden said during the hearing in October 2017. “It’s like the guards at Fort Knox forgot to lock the doors and failed to notice thieves were emptying the vaults.”
Rep. Frank Pallone, D-N.J., current chair of the House Energy and Commerce, said in a statement that the settlement “does not come close to making consumers whole” and shows the Federal Trade Commission is limited in its power to seek “strong penalties and effective redress for consumers.”
Pallone stressed the need for a comprehensive data privacy and security law to hold companies to account when consumer data is compromised.
Consumers can get email updates on the Equifax restitution and credit monitoring process by signing up at www.ftc.gov/equifax-data-breach, or call 1-833-759-2982 for more information.
Eligible consumers will eventually be required to submit claims.
Reporter Claire Withycombe: [email protected] or 971-304-4148.
