(CNN) — Credit reporting agency Equifax has reached a deal to pay up to $700 million to state and federal regulators to settle probes stemming from a data breach that exposed the personal information of nearly 150 million people.
Arkansas will get about $2.5 million of that for claims, Attorney General Leslie Rutledge's office announced.
The Federal Trade Commission announced Monday that Equifax will pay at least $300 million and as much as $425 million to compensate affected people with credit monitoring services. That money will go into a fund that will also reimburse people who purchased credit- or identity-monitoring services because of the 2017 data breach. The amount of the settlement could change depending on the number of claims still to be filed by consumers.
Attorney General Rutledge and a coalition of 49 other attorneys general in 48 states, the District of Columbia and the Commonwealth of Puerto Rico reached the settlement with Equifax.
Equifax will also pay $275 million in civil penalties and other compensation to 48 states, Washington, Puerto Rico and the Consumer Financial Protection Bureau.
“Arkansans trusted Equifax with their personal information as a means to track their credit scores,” said Attorney General Rutledge. “We are holding the company accountable for its failure to safeguard personal information.”
The deal also requires more changes to how Equifax handles private user data. For example, the company will have to adjust its information security protocols, including annual assessments of security risks and receiving the board's certification attesting that the company has complied with the FTC's order.
The FTC alleges Equifax violated the agency's prohibition against unfair and deceptive practices. The FTC said Equifax failed to properly safeguard peoples' personal information despite claiming in its privacy policy that it implemented "reasonable physical, technical and procedural safeguards" to protect their data.
"Companies that profit from personal information have an extra responsibility to protect and secure that data," said FTC Chairman Joe Simons in a statement. "Equifax failed to take basic steps that may have prevented the breach."
The hack, the largest in US history, exposed sensitive information, including names, Social Security numbers, drivers' license numbers and addresses.
Equifax did not respond to CNN Business' request for comment.
Those eligible for restitution in Arkansas must submit claims online, by mail or by phone. Consumers can get settlement information, check their eligibility to file a claim and file a claim by phone or online. Email updates will be available regarding the launch of the Equifax Settlement Breach online registration by signing up at www.ftc.gov/equifax. Consumers can also call the FTC at (833) 759-2982 for more information.
Equifax first disclosed the hack in September 2017, three months after the company discovered the breach.
Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
The data breach prompted the resignation of CEO Richard Smith and investigations by federal regulators, multiple states attorneys general and the company faces a number of civil lawsuits.
5NEWS contributed to this report.