Company knew it had been hacked but didn’t alert consumers for six weeks
SAN FRANCISCO (Sept. 26, 2017) — City Attorney Dennis Herrera today filed a lawsuit against credit reporting company Equifax for failing to protect the personal data of more than 15 million Californians.
San Francisco is the first city in the country to sue Equifax over the massive data breach that compromised the personal information of 143 million U.S. consumers. The company disclosed the breach on Sept. 7, 2017, six weeks after it learned its system had been compromised.
“Equifax’s incompetence would be comical if the subject matter weren’t so serious,” Herrera said. “This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come.”
According to the lawsuit filed in San Francisco Superior Court on behalf of the people of the State of California, Equifax violated state law governing unlawful, unfair or fraudulent business practices by:
- failing to implement and maintain reasonable security procedures and practices
- failing to provide timely notice of the data breach to affected California consumers
- when it finally provided notice, failing to provide complete, plain and clear information
The lawsuit seeks restitution for California consumers who purchased credit monitoring services from Equifax prior to Sept. 7, 2017, civil penalties of up to $2,500 per violation of the law, and a court order requiring Equifax to implement and maintain appropriate security procedures for the highly sensitive information it handles.
Equifax collects names, phone numbers, addresses, social security numbers, dates of birth, financial account information and other data for 820 million consumers worldwide.
However, it uses an open-source software called Apache Struts on its website. Equifax didn’t install a freely available “patch” to fix a vulnerability with the software after that security problem was detected and publicly announced on March 7, 2017 by various organizations. Equifax could have prevented the data breach by implementing the free patches and fixes provided by the Apache Software Foundation in March 2017.
“When you’re dealing with highly sensitive information, keeping your software up to date is such a basic step,” Herrera said. “Equifax also could have encrypted this information or segmented the data in separate databases to prevent hackers from being able to access all of a person’s information at once. Equifax did none of that.”
Instead, from May 13, 2017 to July 30, 2017 someone hacked into Equifax’s computer system using the vulnerability and stole data impacting 143 million people, or roughly 44 percent of the U.S. population. Equifax discovered the data breach on July 29, 2017 but didn’t alert customers to the problem until it posted a notice on its website on Sept. 7, 2017, six weeks later.
“Equifax made a bad situation worse,” Herrera said. “Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud.”
California law requires entities that do business in the state to notify the owner or licensee of the information about a data breach “immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person.”
The notice that Equifax finally posted contained confusing and misleading information and didn’t include information required under California law.
The case is: People of the State of California v. Equifax, Inc., San Francisco Superior Court Case No. CGC-17-561529, filed Sept. 26, 2017. More information is available on our website at www.sfcityattorney.org.
Resources for consumers
These are resources for consumers concerned their personal information may have been compromised in the Equifax breach.