Equifax has agreed to pay at least $650 million to settle claims originating from its massive 2017 data breach.

A large chunk of that money, $300 million, will go toward claims from any of the 147 million-plus consumers - nearly half the U.S. population - impacted by the breach. Another $275 million will go toward fines to end investigations of the breach by the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission and the attorneys general of 48 states. (Massachusetts and Indiana sued Equifax separately, and those cases remain unresolved.)

Equifax also agreed to provide free credit monitoring for all U.S. victims of the breach, a concession that could ultimately increase the size of the settlement significantly. The assumption is that only about 7 million people will sign up for credit monitoring services. But each additional million who do so will cost the Equifax another $16 million-plus, and if all 147 million breach victims sign up, the company would be on the hook for over $2 billion.

Once the settlement is finalized, it will be the largest ever in a data breach case in both dollars and number of victims. Still, $650 million is a little less than Equifax makes in a typical quarter, and some consumer advocates said the company’s punishment should have been more severe.

“The Equifax fine is grievously low, particularly given the scope of the identity problems they created,” said Pam Dixon, executive director of the World Privacy Forum.

Christopher Peterson, a law professor at the University of Utah and a former enforcement attorney for the CFPB, said while the amount of the settlement was “not insignificant” and a quick settlement was probably better for consumers than years of litigation, “over the long term, it creates only a relatively mild incentive for the big credit reporting agencies to strengthen their data security.” (NEW YORK TIMES)