Nearly three years after one of the largest data breaches in history, state attorneys general still are making Equifax pay.
Massachusetts Attorney General Maura Healy announced Friday the credit processing company has agreed to pay $18.2 million and update its cybersecurity protocols. The settlement will end claims filed in connection with the company’s failure to stop a 2017 data breach that affected roughly 145 million Americans, including roughly 3 million Massachusetts residents.
The announcement comes one day after Indiana Attorney General Curtis Hill said his office has agreed to resolve a class action suit against Equifax for $19.5 million. Both settlements come after Equifax agreed in January to pay $380.5 million as part of yet another settlement with U.S. regulators. Equifax also will be required to spend at least $1 billion on improving its data protection capabilities, and may be required to cover an additional $125 million to cover out-of-pocket claims.
Massachusetts and Indiana did not join other states in the suit against Equifax.
The Massachusetts suit alleged that Equifax had failed to sufficiently protest user data, and then violated state law by delaying notification of the incident for more than a month. Officials in Indiana had similarly alleged that Equifax was negligent in protecting user data.
“Equifax had a duty to protect the private information of our consumers and it failed massively — leading to the worst data breach in history,” Massachusetts Attorney General Maura Healy said in a statement Friday. “Our office secured a significant penalty from Equifax to ensure accountability for this inexcusable conduct.”
The U.S. Department of Justice has indicted four suspected state-sponsored hackers from China in connection with the breach. The attack resulted in the theft of names addresses, birth dates, Social Security numbers and driver’s licenses, and only was possible because Equifax failed to patch a known vulnerability in its systems. Former Department of Justice officials also have criticized the company’s response to the breach.