Credit score agency Equifax has agreed to pay up to $700m (£561m) as part of a settlement with a US regulator following a data breach in 2017.
The Federal Trade Commission had alleged the Atlanta-based firm failed to take reasonable steps to secure its network.
The records of at least 147 million people were exposed in the incident.
At least $300m will go towards paying for identity theft services and other related expenses run up by the victims.
This sum will expand to a maximum of $425m if required to cover the consumers’ losses.
The rest of the money will be divided between 50 US states and territories and a penalty paid to the Consumer Financial Protection Bureau.
“Equifax failed to take basic steps that may have prevented the breach,” said the FTC’s chairman Joe Simons.
“This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
The agency added that among the stolen information, the hackers copied:
- at least 147 million names and dates of birth
- about 145.5 million Social Security numbers
- a total of 209,000 payment card numbers and expiration dates
The UK’s Information Commissioner’s Office has already issued the company with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during the same attack.