Image 01 Image 03

Equifax hit with class-action suits after massive data breach

Equifax hit with class-action suits after massive data breach

“Equifax disregarded the rights of Plaintiffs and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected”

Consumers potentially impacted by Equifax’s massive data breach have filed class-action law suits in two states to date: Oregon and Georgia.

The complaint filed in Oregon is seeking up to $70 billion in damages and if nothing changes, could make it the largest class-action ever filed in the U.S.

From Cyberscoop:

In the case filed in Oregon on Thursday evening, plaintiffs say Equifax “negligently failed to maintain adequate technological safeguards to protect … information from unauthorized access by hackers.”

“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,” the lawsuit reads. “Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”

In the case filed in the Northern District of Georgia, lawyers for a separate group level similar accusations.

“Equifax disregarded the rights of Plaintiffs and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis,” the lawsuit reads.

Mary blogged about the Equifax data breach Friday:

Starting in mid-May, cyber terrorists targeted a weak spot in Equifax’s website software. This allowed them to access birth names, birthdays, addresses, credit card numbers, and Social Security numbers. The breach also took “documents with personal information used in disputes for 182,000 people.”

With this information, the criminals “can impersonate people with lenders, creditors and service providers.”

Earlier this year, Equifax along with Transunion were fined over $23 million by the Consumer Financial Protection Bureau for deceiving customers, both about their scores and the cost of their credit-monitoring products.

Oregon complaint:

Oregon Class-Action Equifax Complaint by Legal Insurrection on Scribd

Georgia complaint (and a particularly fascinating read):

Georgia Class-Action Equifax Complaint by Legal Insurrection on Scribd

Follow Kemberlee on Twitter @kemberleekaye


Donations tax deductible
to the full extent allowed by law.


Well, that was fast. I guess these guys wanted to get in as quickly as possible to suck the air out of anybody else filing suit.

if anyone been following the story you may have seen them blaming an opensource software issue (and MANY media outlets grasping onto it) based SOLELY on an unsubstantiated report from here

According to an unsubstantiated report by equity research firm Baird, citing no evidence, the blame falls on the open-source server framework, Apache Struts. The firm’s source, per one report, is believed to be Equifax.
In fact, several headlines — some of which have since been retracted — all source a single quote by a non-technical analyst from an Equifax source.

there was a pretty bad apache struts issue that was patched a few months ago but theres good chance, if struts even involved, this would have been 0 day issue. and so far no evidence points to that

so take everything you see about the vector with a grain of salt.
also, interesting reading

since a few higherups sold stock just before reports hit and made money (since stock dipped after report) I really suspect inside job which is NOT a software vulnerability issue.

I’m a bit skeptical of this. While cybersecurity is generally a sh*tshow everywhere, unless they have clear evidence of internal decisionmaking where somebody knowingly, negligently cut the security budget, it’s going to set an ugly and probably unworkable precedent. There’s no such thing as “secure” or “insecure”, only various grades of insecure. N-tier web applications are fiendishly complex things with a huge attack surface.

I don’t want to excuse Equifax here because the default assumption for any web-based company is that they’re not doing enough on security, but this could end up being another Sarbanes-Oxley.

    We do need to know more. Given the data that is in their repository, Equifax and the other major bureaus need to be held to the highest possible standard when it comes to cyber-security. But what you say is true… there is no such thing as “perfect” security.

    It will be interesting to see if their systems and procedures would pass a PCI-DSS audit. Would they stand up to the audit provisions that banks rely upon for safe-harbor exceptions to various regulations? These are some of the standards that other players in the financial industry are expected to adhere to, surely they would be considered an absolute minimum for a firm like Equifax.

    As noted in the earlier thread- this org keeps information on me w/out my consent.

    —oh- I am praying for a dangerous precedent to be set. I want them freaking gone from the face of this planet. I want every online hub on the planet to fear the precedent of liability to be set here on holding info about me (Amazon, Google, Yahoo- can you hear me now?)

    Collecting, holding, sharing information on people has become the norm. This needs to stop.

You think this will ruin their credit?

I think true justice will be done when the company officers who short sold the stock are hung for insider trading.