The credit bureau Equifax will pay about $650 million — and perhaps much more — to resolve most claims stemming from a 2017 data breach that exposed sensitive information on more than 147 million consumers and demonstrated how little control Americans have over their personal data.
The settlement is vast in its scope, resolving investigations by two federal agencies and 48 state attorneys general and covering every American consumer whose data was stolen — or just under half the population of the United States. It does not just compensate victims who lost money: People who suffered through the hassles of bank phone trees and credit-card customer service lines can bill Equifax $25 an hour for their time.
A federal judge gave the agreement preliminary approval on Monday, and once finalized, it will be the largest settlement of a data breach case in terms of dollar amount and number of victims, surpassing the $115 million the health care company Anthem paid to settle claims from 79 million people who had their personal information stolen in 2015.
“Equifax put profits over privacy and greed over people, and must be held accountable to the millions of people they put at risk,” said the New York attorney general, Letitia James, who helped lead the states’ investigation.
Almost half the settlement — $300 million — will go toward American consumers who were harmed by the breach, according to settlement documents filed in federal court in Atlanta. The company also agreed to pay $275 million in fines to end investigations by the Consumer Financial Protection Bureau, the Federal Trade Commission and 48 states, plus the District of Columbia and Puerto Rico.
Equifax agreed to provide up to 10 years of free credit monitoring services to all victims of the breach in the United States, an offer that could prove costly. Equifax is paying one of its competitors, Experian, to provide that service for the first four years, but the settlement assumes only about seven million people will sign up.
That means the ultimate size of the settlement could change. Every additional million consumers who opt in would cost Equifax more than $16 million, according to the settlement documents. If all 147 million victims of the breach were to take part, the monitoring services would cost Equifax more than $2 billion.
“If people want Equifax to pay more, sign up for credit monitoring,” said Norman E. Siegel, a lawyer representing consumers in the settlement.
In addition to the potential costs for credit monitoring, Equifax said it would add up to $125 million to the claims fund if the initial $300 million is depleted.