(Reuters) - The U.S. Federal Trade Commission announced on Monday that Equifax Inc. EFX.N will pay up to $700 million for a data breach that exposed millions of consumers' personal information.
The following are seven of the largest data breach settlements in recent years.
Following its 2017 data breach, Equifax will pay up to $700 million to the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau and nearly all U.S. states and territories. That includes a $175 million fine to the states and $100 million to the CFPB. It will also establish a $300 million restitution fund for harmed consumers. That amount could grow to $425 million depending on how many consumers act on it.
In 2018, ride-hailing app Uber UBER.N reached a $148 million settlement with 50 U.S. states and Washington, D.C., for failing to disclose a massive data breach in 2016. It exposed personal data from 57 million user accounts.
Retailer Target Corp TGT.N agreed in 2017 to pay $18.5 million to 47 U.S. states and the District of Columbia for the company's massive 2013 data breach. Target reported that hackers stole data from up to 40 million credit and debit cards from shoppers who visited its stores in the 2013 holiday season.
Anthem, Inc. ANTM.N agreed to pay $16 million to the U.S. Department of Health and Human Services and the Office for Civil Rights in 2018 to settle potential violations of HIPAA, the Health Insurance Portability and Accountability Act Privacy and Security Rules, an HHS statement said. A series of cyberattacks exposed the health information of almost 79 million people.
Earlier this month, health insurance company Premera Blue Cross agreed to pay $10 million to 30 U.S. states for allegedly failing to secure consumer data. A hacker had access to its network of private health information and Social Security numbers from May 2014 to March 2015, a statement from the Washington state attorney general said.
6) Nationwide Mutual
Insurance company Nationwide Mutual agreed in 2017 to pay $5.5 million to 33 U.S. states for a 2012 data breach. The attorneys general alleged that the company failed to apply a critical security patch and resulted in the loss of the personal information of over one million consumers.
7) Ashley Madison
Adultery website Ashley Madison’s parent company Ruby Corp agreed in 2016 to pay $1.6 million to settle FTC and state charges that it failed to protect 36 million users’ account and profile information in a July 2015 data breach. In a separate 2017 settlement, the company agreed to pay $11.2 million in a class-action settlement, which said users with valid claims could recoup up to $3,500 depending on their losses from the breach.
Reporting by Bryan Pietsch; Editing by Nick Zieminski
Our Standards: The Thomson Reuters Trust Principles.