What consumers should know about Equifax $700M settlement

The Equifax Consumer reporting agency company logo seen displayed on a smartphone. (Photo: Igor Golovniov/SOPA Images/LightRocket via Getty Images)

Equifax's $700 million settlement with the U.S. government over a massive 2017 data breach includes up to $425 million for consumers.

The breach was one of the largest ever to threaten private information, as the breach exposed Social Security and other data on nearly 150 million people. Affected consumers would get free credit-monitoring and identity-restoration services for the next several years and may be eligible for money they've already spent on such services.

Here is what you need to know about the breach and what actions you can take:

HOW DID HACKERS BREAK IN?

According to the Government Accountability Office, the investigative arm of Congress, a server hosting Equifax's online dispute portal was running software with a known weak spot. The hackers, who have not been identified, jumped through the opening. Hiding behind encryption tools, they sent 9,000 queries to dozens of databases containing consumers' personal information, and then methodically extracted the information.

The attack went unnoticed by Equifax for more than six weeks.

Equifax officials told GAO the company made many mistakes. Some were as simple as having an outdated list of computer systems administrators. When the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.

WHAT HAS EQUIFAX DONE?

The company has said it took steps to fix the issues that allowed the breach to occur. That includes adding tools to better monitor network traffic, restrict traffic between internal servers and tighten controls on who can access certain systems and networks. The company also gave consumers more control over their Equifax data and introduced a free credit-alert service.

There was also a management shakeup. The chief information officer and top security executive both retired, and Equifax hired a new chief technology officer from IBM.

WHAT INFORMATION WAS STOLEN?

Equifax stores a trove of data that provides a financial profile of millions of consumers, including how much they owe on their homes and whether there are court judgments against them.

The compromised data included Social Security numbers, birth dates, addresses, driver license numbers and credit card numbers. Equifax said 3,200 passport images were also stolen. Criminals can use those bits of personal information to commit identity theft.

WHAT DO CONSUMERS GET FROM THE SETTLEMENT?

Equifax has a page, www.equifaxsecurity2017.com, with a link to look up whether your information was exposed.

Affected consumers may be eligible for up to $20,000 in reimbursements for losses from unauthorized charges to affected accounts, legal and other fees, credit-monitoring or identity-theft-protection services and expenses related to freezing or unfreezing credit reports. For the time spent dealing with the breach, consumers can seek $25 per hour for up to 20 hours as compensation.

All impacted consumers will be eligible to receive 10 years of free credit monitoring, at least seven years of free identity-restoration services, and, starting in 2020, six free copies of their Equifax credit report each year for seven years. That's on top of the free copy consumers can already get by law every 12 months from each of the three big agencies - Equifax, Experian and TransUnion. For minors, free credit monitoring increases to 18 years.

If consumers choose not to enroll in the free credit monitoring product available through the settlement, they may seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice.

Consumers must submit a claim in order to receive free credit monitoring or cash reimbursements.

WHAT CAN CONSUMERS DO WITH CREDIT REPORTS?

Examine all your listed accounts and loans to make sure that the personal information is correct and that you authorized the transaction. If you find something suspicious, contact the company that issued the account and the credit-rating agency.

Consider freezing your credit, which stops thieves from opening new credit cards or loans in your name. It can be done online. Consumers can freeze their credit for free because of recent legislation, avoiding fees that were typically $5 to $10 per rating agency.

You'll need to remember to temporarily unfreeze your credit, also free, if you apply for a new credit card or loan. And a freeze won't protect you from thieves who file a fraudulent tax return in your name or make charges against an existing account.

WAS THE PUNISHMENT EXPECTED?

Yes, Equifax said earlier this year that it had set aside around $700 million to cover anticipated settlements and fines.

WHAT'S NEXT?

The settlement must still be approved by the U.S. District Court in Atlanta. Consumers can't file claims until after the settlement receives court approval.

Check here for more on the Equifax breach settlement