Update: As of Monday, legal teams across the U.S. have filed more than 30 lawsuits against Equifax following its breach revelations, Reuters reports. It is likely the suits will be combined into a single case because many of the complaints are similar.
The Senate Committee on Finance is also looking into the data breach, which it says is "one of the largest on record" because of the scope and scale of incident and the extremely sensitive nature of the compromised information. Sens. Orrin Hatch, R-UT, and Ron Wyden, D-OR, asked targeted questions about the firm's response to the breach and its approach to cybersecurity in a letter to Rick Smith, chairman and CEO of Equifax.
One of the questions inquired about the makeup of Equifax's security team, such as whether it has a chief information security officer and, if so, who they reported to.
- Equifax is facing several possible class action lawsuits after the credit reporting firm revealed last week it suffered a data breach impacting 143 million U.S. consumers. Two law firms — Olsen Daines PC and Geragos & Geragos — filed a a suit in federal court in Oregon, and a lawyer from Morgan & Morgan filed a suit in federal court in Georgia, CyberScoop reports. A Geragos attorney said the suit will seek as much as $70 billion in damages, Bloomberg reports. Another high-profile firm, Hagens Berman Sobol Shapiro LLP, is investigating the Equifax case for possible insider selling, option activities and securities law violations, according to an announcement.
Confusion also persisted about whether those who opted into the the credit monitoring could participate in the suit. When signing up for free credit monitoring, language in the terms of agreement made it appear that users forfeited rights to participate in any potential class action lawsuits. However, the New York Attorney General’s Office clarified with Equifax that contract language applied to the identity theft products and not potential arbitration related to the data breach. New York Attorney General Eric T. Schneiderman launched a formal investigation into the breach on Friday. Federal lawmakers are also calling for hearings on the breach.
After conversations w my office, @Equifax has clarified its policy re: arbitration. We are continuing to closely review. pic.twitter.com/WcPZ9OqMcL— Eric Schneiderman (@AGSchneiderman) September 8, 2017
- People are struggling to determine if they were impacted by the breach. Equifax's data breach impact checker, which is hosted by Equifax subsidiary TrustedID, does not provide definite answers about whether individuals were impacted, stating consumers "may be" affected rather than providing a clear response, ZDNet reports. Some users entered in fake information to check the system, and the checker said the individual was breached. It also asks for the last six digits of a user's social security number and last name, the same information which may have already been compromised in the breach.
Expert consensus says Equifax bungled the breach and the subsequent response. During disclosures of large-scale cybersecurity incidents, particularly those involving personally identifiable information, industry best practice encourages companies to report early and often. Near-immediate disclosure is praised, and tapping a third-party to help manage response can help organizations save face during potentially embarrassing incidents.
But Equifax had a number of mishaps. Days before the breach was disclosed, three senior executives sold a total of $1.8 million worth of shares in the company. Additionally, when individuals went to check whether they were impacted by the breach, they were navigated to a new website, www.equifaxsecurity2017.com, rather than one hosted on the primary corporate site.
Cybersecurity expert Brian Krebs called the credit reporting firm's response a "dumpster fire."
One of the biggest criticisms of the breach is how sensitive the comprised information was. In the Yahoo data breach, as many as 1 billion user accounts were impacted. The compromised information, though personally identifiable, included emails and passwords, which are easily changed. But the Equifax breach compromised social security numbers, credit card numbers and potentially sensitive personal financial data.
The company has said there is no evidence of unauthorized access to its consumer or commercial credit reporting databases. But that doesn't lessen the impact of exposed SSNs and, in some instances, drivers license numbers. The Equifax breach is akin to the 2015 Office of Personal Management breach in severity, but it impacted far more people.
Both of the class action lawsuits filed in federal court come from experienced firms, and they could take years to play out. Geragos & Geragos has handled high-profile class action lawsuits in the past, and Morgan & Morgan has worked on several breach suits, including cases related to Target and a pending suit against Yahoo.