(CNN) — Credit reporting agency Equifax has reached a deal to pay up to $700 million to state and federal regulators to settle probes stemming from a data breach that exposed the personal information of nearly 150 million people.
The Federal Trade Commission announced Monday that Equifax will pay at least $300 million and as much as $425 million to compensate affected people with credit monitoring services. That money will go into a fund that will also reimburse people who purchased credit- or identity-monitoring services because of the 2017 data breach. The amount of the settlement could change depending on the number of claims still to be filed by consumers.
Equifax will also pay $275 million in civil penalties and other compensation to 48 states, Washington, Puerto Rico and the Consumer Financial Protection Bureau.
The deal also requires more changes to how Equifax handles private user data. For example, the company will have to adjust its information security protocols, including annual assessments of security risks and receiving the board’s certification attesting that the company has complied with the FTC’s order.
The FTC alleges Equifax violated the agency’s prohibition against unfair and deceptive practices. The FTC said Equifax failed to properly safeguard peoples’ personal information despite claiming in its privacy policy that it implemented “reasonable physical, technical and procedural safeguards” to protect their data.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach.”
The hack, the largest in US history, exposed sensitive information, including names, Social Security numbers, drivers’ license numbers and addresses.
Equifax did not respond to CNN Business’ request for comment.
Equifax first disclosed the hack in September 2017, three months after the company discovered the breach.
Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.