Equifax will also pay $275 million in civil penalties and other compensation to 48 states, Washington, Puerto Rico and the Consumer Financial Protection Bureau.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons in a statement. “Equifax failed to take basic steps that may have prevented the breach.”
The hack, the largest in US history, exposed sensitive information, including names, Social Security numbers, drivers’ license numbers and addresses.
Equifax did not respond to CNN Business’ request for comment.
Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.