Within hours after Equifax disclosed yesterday that hackers had compromised the personal information of nearly 143 million Americans, the Atlanta-based credit reporting agency was hit with a class action lawsuit in U.S. District Court in Portland, Oregon.
The 12-page complaint filed last night charges that Equifax – in “an attempt to increase profits” – “negligently failed to maintain adequate technological safeguards … [and] “could have and should have substantially increased the amount of money it spent to protect against cyber-attacks.” The complaint was filed on behalf of two Portland residents whose personal information was compromised by the data breach.
The complaint says that the victims of the hack “hope Equifax will use this massive data breach … as a teachable moment to finally adopt adequate safeguards to protect against this type of cyber-attack in the future.”
Equifax disclosed late yesterday that it discovered “unauthorized access” to its systems on July 29th, but that the hackers had been accessing Equifax files since mid-May, according to a company statement.
This is one of the largest reported cybersecurity attacks in U.S. history, with nearly 44% of Americans affected. Only Yahoo! Inc. tops the size of this data breach, with almost 1.5 billion of the internet service provider’s customer accounts compromised.
Consumer’s names, social security numbers, birth dates, addresses, and – in some cases – driver’s license numbers were compromised in the Equifax attack. The hackers also gained access to credit card numbers for more than 200,000 consumers and payment dispute documents for another 182,000 consumers.
Equifax also confirmed that limited personal information for residents in the United Kingdom and Canada was compromised.
The exact cause of the hack isn’t clear. In its statement, the company said that the hackers gained access to its systems through an application vulnerability but further details were not disclosed.
This isn’t the first time Equifax has found itself in the crosshairs of hackers. Last year, cybercriminals stole W-2 tax information from an Equifax website and from an Equifax subsidiary, TALX, a provider of online payroll services.
In a statement, Equifax CEO Richard F. Smith said that “[c]onfronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
And to compound an already messy situation, three senior executives of the company reportedly sold shares of Equifax stock – worth nearly $2 million – after the breach was discovered but before its public disclosure.
Equifax stock plunged at the opening of trading this morning, down more than 20% on the news.