AG Balderas Leads $600 Million Multi-state Settlement with Equifax in Largest Data Breach Settlement in History

FOR IMMEDIATE RELEASE: July 22, 2019

Contact: Matt Baca (505) 270-7148

Albuquerque, NM— Attorney General Hector Balderas today announced that a coalition of 50
Attorneys General has reached a settlement with Equifax as the result of its massive 2017 data
breach. The Attorneys General investigation found that Equifax’s failure to maintain a
reasonable security system enabled hackers to penetrate its systems, exposing the data of more
than half of all American adults—the largest-ever breach of consumer data. The Attorneys
General secured a settlement with Equifax that includes up to $425 million in consumer
restitution, a $175 million payment to the states, and an injunction requiring significant
improvements to Equifax’s business and data security practices. This is the largest data breach
enforcement action in U.S. history, brining millions of dollars of restitution to New Mexican
consumers and nearly $2.3 million to the State.
“My office will continue to hold powerful companies accountable and to safeguard the personal
information of all New Mexican families,” said Attorney General Balderas. “We must continue
to be vigilant in protecting the privacy of all New Mexicans.”
On September 7, 2017, Equifax, one of the largest consumer reporting agencies in the world,
announced a data breach affecting more than 147 million consumers, more than 860,000 of
whom live in New Mexico. Breached information included social security numbers, names, dates
of birth, addresses, credit card numbers, and in some cases, driver’s license numbers.
Shortly after, New Mexico helped launch and lead a multi-state Attorney General investigation
into why the breach occurred and what could have been done to prevent it. The investigation into
Equifax found an inadequate security program that failed to protect consumers’ highly sensitive
personal information. Despite knowing about a critical vulnerability in its software, Equifax
failed to fully patch its systems and failed to replace critical network monitoring software,
essentially opening the door for the attackers. As a result, the attackers penetrated Equifax’s
system and began stealing the information of millions, going unnoticed for more than two
months.
Under the terms of the settlement, Equifax will provide a single Consumer Restitution Fund of
up to $425 million—with $300 million dedicated to consumer redress. If the initial $300 million
in the fund is exhausted, Equifax will be required to contribute up to an additional $125 million.
The company must also offer affected consumers extended credit monitoring services for a total
of 10 years, and must take steps to assist consumers who are either facing the threat of identity
theft or who have already had their identities stolen.
Equifax must also significantly strengthen its security practices going forward, including
strengthening its internal data security and patch management teams, minimizing its collection and
use of sensitive information, increasing network monitoring and testing, improving access
controls, and segmenting its network to thwart future attacks.

Finally, Equifax will pay the state Attorneys General a total of $175 million, which includes
nearly $2.3 million for New Mexico. These funds are separate and apart from the restitution
fund, and will be used to bolster the Attorney General’s data security investigation and consumer
protection efforts.
Consumers who believe they are eligible for restitution may submit claims online or by mail.
Paper claims forms can be requested by phone. Consumers can obtain information about the
settlement, check their eligibility to file a claim, and file a claim on the Equifax Settlement
Breach online registry, set to launch soon after this announcement. To receive email updates
regarding the launch of this online registry, consumers can sign up at www.ftc.gov/equifax-databreach. Consumers can also call the settlement administrator at 1-833-759-2982 for more
information. The program to pay restitution to consumers will be conducted in concert with
settlements that have been reached in the multi-district class actions filed against Equifax, as
well as settlements that were reached with the Federal Trade Commission and Consumer
Financial Protection Bureau.
New Mexican consumers are also encouraged to visit the Office of the Attorney General’s
website at www.nmag.gov for consumer protection resources or to work with a consumer
advocate if they believe they have been the victim of a security breach.
In addition to New Mexico, other Attorneys General participating in this settlement include
Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida,
Georgia, Hawaii, Idaho, Illinois, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland,
Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New
Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania,
Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington,
Wisconsin, Wyoming, and the District of Columbia. Also joining are Texas, West Virginia and
the Commonwealth of Puerto Rico.