On September 7th 2017, Equifax notified the world that they were the target of a cyberbreach. What we know today is that over 145 million U.S. citizens, up to 44 million Britons, and over 8000 Canadians were affected by this hack. The criminals accessed personal information, including first and last names, social security numbers, birth dates, credit card and checking account numbers, and more. To the chagrin of those possibly affected, Equifax waited six weeks before disclosing the breach, which was reportedly began as early as May of this year. It is no surprise that in the wake of the announcement, Equifax lawsuits have been filed.
How could this have happened?
Data security requires vigilance, but we’re only human in the end, and mistakes happen. The mistake, ultimately, is that a security flaw in Apache Struts went un-patched. The flaw in question, however, was patched on March 7th, well before the breach that was announced in September.
The U.S. House of Representatives has been on the warpath against Richard F. Smith, former CEO of Equifax who was forced to step down in the wake of the incident. Testifying before a House committee, Mr. Smith’s story ultimately boiled down to pinning the blame of the breach on one anonymous company employee. Reportedly, this lone individual ignored security warnings, nor did they perform the patches necessary.
It is a stark change from how the company initially discussed the breech. This changing narrative is one reason why so many Equifax lawsuits are being filed.
One step forward, a dozen backwards
Criticism of the company is everywhere, and it is relentless. Equifax has not made the situation easier on itself. Initially offering its own branded security service in the wake of the breach, it was discovered the site was poorly secured. It was made with WordPress, which is fine for lower security requirements. However, to check for whether or not your data was exposed, you needed to enter your last name, and social security information.
The same company that exposed the financial and personal data of nearly 146 million U.S. citizens, was asking its clients to input information onto yet another poorly secured platform.
Additionally, Equifax included an arbitration clause on their Trusted ID Premier website whose wording implied that anyone signing up for the security service could not sue Equifax for the breach. While clarifications were issued, it was another blow to the company’s perceived integrity.
Yet possibly most damning of all was Barry Loudermilk (R-Georgia), presenting a bill that would reduce consumer protections against credit bureaus. It would limit damages in a class action suit to $500,000, and would also eliminate all punitive damages. In essence, such a bill would effectively limit Equifax lawsuits related to this breech.
Loudermilk would agree to delay the bill after heavy criticism from consumer advocate groups.
Will the Equifax lawsuits result in anything?
Equifax lawsuits will likely continue to be filed as more information comes out. One firm is seeking $70 billion in damages, the largest class action lawsuit in U.S. history. While there is a evidence that points to negligence within the company, the real issue does not lie with Equifax alone. As Richard F. Smith said in his testimony, the issue “requires a much broader discussion around the role of the credit reporting agencies.”
At the end of the lawsuits, Equifax could very well be destroyed as an organization. If the issues that led to such a breach are not addressed, who is to say that the same could not happen to the two other major reporting agencies? Like Equifax, Experian and TransUnion also collect consumer information, and most people don’t even opt into this data collection.
It may take years for the full repercussions of the Equifax hack to be known, years of that “broader discussion” before we see major change. For now, the Equifax lawsuits are a canary in the mines for all credit agencies, a devastating reminder of the importance of data security, and public relations.