Less than 24 hours after Equifax confirmed that it was affected by a massive data breach that saw hackers steal social security numbers and other personal information of nearly 143 million people, the firm now faces a multibillion dollar class action lawsuit.
Two victims in Oregon, affected by the breach — Mary McHill from Portland, and Brook Reinhard from Eugene — have filed a national class action lawsuit. "Plaintiffs file this complaint as a national class action on behalf of over 140 million consumers across the country harmed by Equifax's failure to adequately protect their credit and personal information," the complaint reads, Cyberscoop reported.
"Equifax owed a legal duty to consumers like Ms McHill and Mr Reinhard to use reasonable care to protect their credit and personal information from unauthorized access by third parties. Equifax knew that its failure to protect Ms McHill and Mr Reinhard's credit and personal information from unauthorized access would cause serious risks of credit harm and identity theft for years to come," the complaint stated.
When announcing the breach, Equifax offered customers the option of signing up for a free credit card monitoring and identity theft insurance service, called Trusted ID for a year. Interestingly, those who sign up for the offer reportedly have to waive their right to join a class-action lawsuit. However, Equifax clarified that the arbitration clause refers to the Trusted ID product and not any lawsuits dealing with the data breach.
In another case filed in Georgia, lawyers representing a separate group of victims also levelled similar accusations at Equifax.
"Equifax disregarded the rights of Plaintiffs and Class members by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard PII, failing to take available steps to prevent and stop the breach from ever happening, and failing to monitor and detect the breach on a timely basis," the lawsuit reads.
The Oregon suit is seeking $68.6bn (£51.9bn) in damages while the Georgia suit claims that the cost "exceeds $5m".
Shortly after news of the Equifax hack broke, reports emerged of three of the firm's executives having sold stocks just days before the firm revealed the breach to the public.
"To me, this breach is a like a Category 5 hurricane in the cyber world, at least 1/3 of US population are affected by this. The lasting impact from the breach will go on for years," Fleming Shi, senior VP of technology at Barracuda Networks told IBTtimes UK.
"Credit monitoring companies manage a treasure trove of information that can be damaging if it lands in the wrong hands, especially when it's been in those hands for several months. Given the sensitivity of this type of data any such organisation needs a robust system in place to prevent these attacks from being successful," Adrian Rowley, EMEA technical director at Gigamon told us.
"A key prerequisite for a sound IT security strategy is knowing exactly what data is in your networks. Visibility is key, and our recent research found that sixty-one percent of respondents in the UK cited network blind spots as a major obstacle to effective data protection, while 41 percent of those without complete visibility of their network admit to lacking sufficient information to identify threats. Unfortunately, it seems that this has become a reality for Equifax."