Equifax Inc. (EFX.N) agreed to pay up to US$700 million to resolve U.S. federal and state investigations into the 2017 hack that compromised some of the most sensitive information of more than 140 million people.

“Companies that profit from personal information have an extra responsibility to protect and secure that data,” FTC Chairman Joe Simons said in a statement. “Equifax failed to take basic steps that may have prevented the breach.”

Equifax will pay as much as US$425 million to compensate consumers and provide credit monitoring to those whose information was exposed under a settlement announced Monday by the Federal Trade Commission. Equifax will separately pay US$175 million to 48 states, the District of Columbia, and Puerto Rico, and an additional US$100 million to the U.S. Consumer Financial Protection Bureau.

The agreement, the largest data-security settlement by the agency, resolves a nearly two-year investigation by all 50 states and the FTC into the massive breach that compromised sensitive information like Social Security numbers and dates of birth.

The incident sparked outcries on Capitol Hill and among consumer advocates for more oversight of the three big consumer credit-rating companies: Equifax, TransUnion and Experian Plc. At a hearing in February, Democrats and Republicans on the House Financial Services Committee slammed the companies, as Chairwoman Maxine Waters promised to tighten regulation of the industry.

Yet lawmakers have failed to act since the hack was disclosed.

Equifax, based in Atlanta, has largely bounced back with shares recovering nearly all their value since the company disclosed the breach in September 2017. At the time, Equifax’s stock lost more than a third of its value within days.

Hackers gained access to the Equifax network in May 2017 and attacked the company for 76 days, according to a House Oversight Committee report. Equifax noticed “red flags” in late July, and then in early August contacted the Federal Bureau of Investigation, outside counsel and cybersecurity firm Mandiant. The company waited until September to inform the public of the breach.

Hackers stole at least 147 million names and dates of birth, nearly 146 million Social Security numbers, and 209,000 payment card numbers and expiration dates, the FTC said.

The agency relies on its authority to regulate unfair and deceptive trade practices to hold companies accountable for data-security representations. The FTC has authority to examine whether a company’s practices were reasonable and whether it was living up to representations about security of data.

The FTC said Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting a database that handles inquiries from consumers about their personal credit data. Equifax’s security team ordered thatvulnerable systems be patched, there was no follow-up to ensure the order was carried out, the FTC said.

Under the settlement, Equifax will pay up to US$425 million into a fund that will provide affected consumers with credit monitoring. The fund will also compensate consumers who bought credit- or identity-monitoring services from Equifax and paid other expenses as a result of the breach, the FTC said.

The company also will implement an information-security program that will require annual assessments of security risks, obtaining annual certifications from the board of directors that the company has complied with the settlement, and testing security safeguards.

--With assistance from Jenny Surane, Daniel Stoller and Erik Larson.