Hackers gained access to the Equifax network in May 2017 and attacked the company for 76 days, according to a House Oversight Committee report. Equifax noticed “red flags” in late July, and then in early August contacted the Federal Bureau of Investigation, outside counsel and cybersecurity firm Mandiant. The company waited until September to inform the public of the breach.

Hackers stole at least 147 million names and dates of birth, nearly 146 million Social Security numbers, and 209,000 payment card numbers and expiration dates, the FTC said.

The agency relies on its authority to regulate unfair and deceptive trade practices to hold companies accountable for data-security representations. The FTC has authority to examine whether a company’s practices were reasonable and whether it was living up to representations about security of data.

The FTC said Equifax failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting a database that handles inquiries from consumers about their personal credit data. Equifax’s security team ordered that vulnerable systems be patched, there was no follow-up to ensure the order was carried out, the FTC said.

Under the settlement, Equifax will pay up to $425 million into a fund that will provide affected consumers with credit monitoring. The fund will also compensate consumers who bought credit- or identity-monitoring services from Equifax and paid other expenses as a result of the breach, the FTC said.

The company also will implement an information-security program that will require annual assessments of security risks, obtaining annual certifications from the board of directors that the company has complied with the settlement, and testing security safeguards.

New York Attorney General Letitia James, whose state is due to get $9 million under the deal, said Equifax had endangered Americans through “ineptitude, negligence, and lax security standards.”

“Now it’s time for the company to do what’s right and not only pay restitution to the millions of victims of their data breach, but also provide every American who had their highly sensitive information accessed with the tools they need to battle identity theft in the future,” James, who co-led the coalition of states, said in a statement.

Californians will get $18.7 million under the agreement, according to the state’s attorney general, Xavier Becerra.

“The same Americans who had to immediately protect themselves from fraudsters or identify thieves will have to be vigilant for the rest of their lives. We encourage every eligible person to apply for the relief they are entitled to as part of our settlement,” Becerra said Monday in a statement.