Little more than a day after Equifax disclosed that hackers had infiltrated its cybersecurity systems and “compromised” the personal data of 143 million Americans, the company was hit with its first class-action lawsuit, which alleged that the company could’ve prevented the breach if hadn’t instead opted for negligent cost-cutting.
That suit, seeking $70 billion, was filed by Mary McHill and Brook Reinhard in a Portland, Ore. court.
“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers,” the complaint stated.
“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
While the Equifax breach wasn’t the largest-ever in terms of the sheer number of customers affected, it will probably be remembered as one of the most damaging. Among the sensitive data, hackers absconded with social security numbers, credit card and banking information – considered the most valuable to fraudsters and identity thieves lurking on the dark web. Compounding the public’s outrage is the fact that the company had known about the hack for a month before it was disclosed, allowing its executives to cash out $2 million in stock.
And less than a week after the breach – which occurred between mid-May and July – was disclosed, it appears that the Portland lawsuit was just the first crack in levee. Since then, more than 30 lawsuits have been filed in the United States against Equifax Inc., according to Reuters.
Some have alleged securities fraud, accusing the company of misleading shareholders to benefit insiders.
“At least 25 lawsuits had been filed in federal courts by Sunday, including at least one accusing the company of securities fraud, court records show.
Several more lawsuits were filed against Equifax on Monday. Many of those raising similar claims will likely be combined into a single, nationwide case.”
“In the securities fraud lawsuit, Equifax was accused of misleading shareholders about its ability to protect consumer data, inflating its financial statements and share price before the truth became known.”
Another criticized the company’s (meager) offering of free credit monitoring for a year for consumers who were affected, as plaintiffs cynically accused the company of taking advantage of a catastrophe to try and upsell customers.
“Some lawsuits criticized Equifax’s offer of a year of free credit monitoring with its TrustedID product. One complaint filed in San Jose, California, suggested that Equifax might do this to lay a “foundation” to pitch costlier services. It cited a Feb. 22 regulatory filing in which Atlanta-based Equifax said more companies are offering free or low-cost services such as credit scores, reports and monitoring “as a means to introduce consumers to premium products and services.”
And now, in what’s perhaps the most portentous development for the company and its executives, at least one US senator has called for a criminal investigation into Equifax’s corporate leadership.
According to Reuters, Senator Heidi Heitkamp, a Democrat who sits on the Senate Banking Committee, said it was “disturbing” that it appeared executives sold their stock before disclosing material information to the public.
“If that happened, somebody needs to go to jail,” Heitkamp said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”
Whether or not this happened, the truth will likely be known soon enough. On Monday, Senator Orrin Hatch, who chairs the Finance Committee, and ranking Democrat Ron Wyden, demanded that Equifax Chief Executive Rick Smith provide a timeline of the breach and its discovery. Equifax said it had learned of the hack on July 29.
On Aug. 1, just three days later, top company executives, including Chief Financial Officer John Gamble sold Equifax shares or exercised options worth about $1.8 million, according to regulatory filings.
The company has said the executives weren’t aware of the breach when they sold their shares. But the timing certainly is curious…
Public sentiment toward Equifax is so toxic, that one programmer is repurposing a bot he released in July to make it easier for affected parties to sue the company, according to the Verge.
“The DoNotPay bot – as it’s known - is mainly used for helping with parking tickets. But with this new update, its creator, Joshua Browder, who was one of the 143 million affected by the breach, is tackling a much bigger target, with larger aspirations to match. He says, ‘I hope that my product will replace lawyers, and, with enough success, bankrupt Equifax.’”
Of course, the fact that such a devastating hack was carried out against a company whose sole job is safeguarding consumers against fraud is absurdly ironic. In a way, it mirrors the irony of ratings agencies, tasked with deciding the creditworthiness of fixed-income products, stamping incredibly risky bonds with triple AAA ratings.