Most everyone has heard something about the Latest breach of Equifax. Here is some of the latest information.
The massive Equifax data breach has already led to the filing of more than 30 lawsuits seeking class-action status. One of the lawsuits, filed in Portland, Oregon, is demanding up to $70 billion in damages.
The lawsuits are just one measure of the fury generated by Equifax – one of the three biggest U.S. data brokers – revealing Thursday that it suffered a breach, beginning in May, that exposed to hackers 143 million consumers’ personal details, including information that could be used to commit identity theft.
In its alert issued Thursday, Equifax said that it discovered the breach July 29 and launched a website that consumers can use to see if their data was exposed. The company is offering all U.S. consumers one year of prepaid credit monitoring, which includes freezing their credit reports on Equifax. But it has not offered to do the same with consumers’ credit reports at other data brokers.
Almost immediately following the breach notification, affected consumers began filing lawsuits – more than 30 by Monday, Reuters reports. Meanwhile, attorneys general in at least five states – including New York and Illinois – have also announced formal breach investigations. And several Congressional committees are launching or eyeing breach-related hearings. Equifax has also promised to work with regulators in Canada and the United Kingdom, where some victims reside.
Hardest hit by the breach, however, were those who live in the U.S. The breach exposed information on nearly half of all U.S. adults, including names, birthdates, addresses, Social Security numbers and in some cases, driver’s license numbers. All of that data is regularly used to verify an individual’s identity, and thus it’s also valuable for identity thieves.
“The quality of data potentially compromised is very valuable to cybercriminals,” cybersecurity attorney Imran Ahmad tells Information Security Media Group. “What these guys are looking for is high value bits of information. The reason they like this type of data is because they can easily on the darknet sell these and create virtual profiles and sell them to others.”
Numerous security watchers have called for Equifax to publicly atone for the breach – and do so quickly – and have called on anyone who has a choice of data brokers to immediately stop working with Equifax. Some also want to see Equifax CEO Richard Smith ousted.
“Smith should resign. If he does not, his board should fire him,” says information security expert William Hugh Murray, who’s a senior lecturer at the Naval Postgraduate School.
Three other Equifax executives sold stock in the company after it learned of the breach, but before it issued a public notification (see Equifax Breach: 8 Takeaways).
The U.S. Securities and Exchange Commission declined to comment to ISMG about whether it will investigate the timing of those stock sales.
Equifax has released a statement saying that the executives – including its chief financial officer – had been unaware that the breach had occurred when they sold shares.
Murray, meanwhile, recommends the three “resign and flee the country before the Feds come after them for insider trading.” And for good measure, he adds, “the CISO should update his resume.” As ISMG has previously reported, however, that job position was, until recently, being advertised as vacant.
Lawsuit Seeks Up to $70 Billion
Equifax already faces multiple lawsuits over the breach, including one filed in Oregon by Mary McHill from Portland and Brook Reinhard from Eugene. Their lawsuit seeks class-action status on behalf of everyone affected by the breach and demands damages of as much as $70 billion. It was filed by law firm Olsen Daines PC, together with Geragos & Geragos, which Bloomberg reports is a law firm known for launching splashy, high-octane class actions.
“This complaint requests Equifax provide fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services,” according to the complaint.
Reinhard, for example, says that he spent $19.95 to buy “third-party credit monitoring services he otherwise would not have had to pay for.”
The lawsuit also alleges that Equifax failed to invest sufficiently in its information security program. “In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect [individuals’] information from unauthorized access by hackers,” according to the complaint. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyberattacks but chose not to.”
Many breach-related lawsuits, however, have failed, with the cases often being dismissed because plaintiffs failed to prove they suffered unreimbursed financial losses (see Why So Many Data Breach Lawsuits Fail).