- Office of Attorney General Maura Healey
Media Contact for AG Healey Secures $18 Million Payment from Equifax over Data Breach that Affected Nearly Three Million Massachusetts Residents
Boston — One of the largest consumer credit reporting agencies in the country has agreed to pay $18.2 million and undertake significant injunctive relief following a massive data breach in 2017 that compromised the personal information of nearly three million Massachusetts residents, Attorney General Maura Healey announced today.
The consent judgment, approved by a Suffolk Superior Court judge on April 13, resolves the AG’s 2017 lawsuit alleging that Equifax failed to patch a known vulnerability in its network, allowing hackers to infiltrate its systems and access the sensitive personal information of least 147 million consumers nationwide.
“Equifax had a duty to protect the private information of our consumers and it failed massively – leading to the worst data breach in history,” said AG Healey. “Our office secured a significant penalty from Equifax to ensure accountability for this inexcusable conduct. The company will implement stringent measures to strengthen its security practices and keep our data safe.”
When Equifax announced the data breach in early September 2017, AG Healey immediately launched an investigation to determine the risk to consumers and whether the company had proper safeguards in place to protect consumer information. Within days, the AG’s Office sued Equifax under Massachusetts consumer protection and data privacy laws. According to the AG’s complaint, unauthorized third parties infiltrated Equifax’s computer system through its website for months without the company detecting them and stole sensitive and personal consumer information. The complaint alleges Equifax lacked sufficient safeguards to protect consumers’ personal data in its system. The complaint further alleged that Equifax violated Massachusetts law by delaying notice of the breach. According to the AG’s complaint, Equifax knew about the breach around July 29, 2017, yet did not notify the AG’s Office or consumers until Sept. 7, 2017.
Under the terms of the proposed settlement, Equifax will pay a $18.2 million penalty to Massachusetts, a portion of which the AG’s Office will use to support local consumer aid programs.
The settlement also requires Equifax to take significant steps to strengthen its security practices and bring them into compliance with Massachusetts law, including regular monitoring, identifying critical security updates, minimizing its collection of sensitive data, improving account management tools, and allowing third-party assessments of its data safeguards.
Massachusetts consumers affected by the breach can seek available relief under the settlements that Equifax reached in July 2019 with 50 states and U.S. territories, the Federal Trade Commission, the Consumer Financial Protection Bureau, along with a national consumer class action suit. Eligible consumers can file claims for relief from a Consumer Restitution Fund created under these settlements to obtain assistance in freezing and thawing their credit files, the opportunity to dispute inaccurate credit report information, and to seek payments and assistance in addressing to identity theft that results from the breach. More information about this consumer relief can be found here. For more information on Equifax’s Consumer Restitution Fund or on how to make a claim, visit www.equifaxbreachsettlement.com/.
The AG’s Consumer Protection Division has published guidance for consumers impacted by the 2017 Equifax breach on its website, which includes more information about today’s settlement.
If you believe that you have been the victim of identity theft, you will need to take additional steps to protect your credit and your personal information. For additional information, consumers may contact the AG’s consumer hotline at 617-727-8400 or view the Federal Trade Commission’s identity theft resource, available at www.consumer.gov/idtheft/. Guidance for businesses on data breaches can be found here.
This case was handled by Sara Cable, Director of Data Privacy & Security, and Assistant Attorneys General Jared Rinehimer and Elizabeth Cho, with assistance from Assistant Attorney General Sarah Petrie, all of the AG’s Consumer Protection Division, and Investigator Anthony Crespi of the AG’s Civil Investigations Division.