Information Security, Top News

Equifax is facing a towering pile of class action law suits



Remember how deposed Equifax CEO Rick Smith got trotted around Capitol Hill to have his wrist metaphorically slapped by several congressional committees following what security journalist Brian Krebs so memorably referred to as the “dumpster fire” of a breach?

…and remember how we told you not to hold your breath with regards to real reform in the data brokerage industry? After all, in spite of congressional members saying that the company’s pre- and post-breach actions/inactions “smelled really bad,” there was zero talk of serving Equifax execs with subpoenas.

Well, subpoena time may have gotten yet another class-action lawsuit closer. If Washington isn’t going to slap some payback out of Equifax, then hopefully one or more of the 70+ class action lawsuits filed since the breach was disclosed on 7 September 2017 will do some good.

The law firm of Strimatter Kessler Whelan just filed another one: a national class action complaint (PDF) against Equifax in the US District Court of the Western District of Washington, in Seattle. The case is still in its early stages, but the law firm says it’s signed three named plaintiffs.

A woman who believes she’s one of the 140 million victims says her identity has been stolen 15 times since the breach.

Katie Van Fleet, of Seattle, says she’s received letters from stores including Kohl’s, Macy’s, Old Navy and Home Depot, thanking her for her credit applications. Nope, didn’t apply for any such, Van Fleet says. She and her Strimatter attorney, Catherine Fleming, believe that her personal data was stolen during the Equifax hack.

It’s a fine kettle of fish to be forced to deal with when you’re trying to buy a house, as is Van Fleet. What’s particularly galling is that neither she nor any of us have a choice about credit reporting agencies gobbling up our data, she says… and then disgorging it upon the internet:

I feel very helpless. I didn’t sign up to Equifax so I feel all of that stuff has been taken and I’m left here trying to sweep up the pieces and protect myself and protect my credit.

The Seattle suit is alleging that, among other things, Equifax…



  • “Willfully, knowingly, callously, recklessly, and negligently” let hackers get at the personally identifying information (PII) of more than 100 million US citizens, green card holders and business customers without their prior express consent, and “without regard” for what would be done with the data.
  • “Exploited the harm” done to the victims with an incident response site that offered the “deceptive promise” of one year of free credit monitoring by its wholly owned subsidiary, TrustedID, in exchange for users waiving their right to pursue legal action.
  • Knew, or should have known, about the breach when it happened or soon thereafter, but three company execs cashed in almost $2 million worth of shares weeks before they told shareholders or affected consumers and business owners.

The suit alleges that Equifax is forcing people or businesses to give up the right to sue it but the company, given a good bit of grief over the issue, updated its policy on 11 September to state that:

…enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.

The suit alleges that it’s “unfair, deceptive and otherwise wrongful conduct under state and federal law” for Equifax to “[create] the illusion that Plaintiffs and other consumers may benefit” from the cash cow that is TrustedID.

Stritmatter has another term for Equifax’s TrustedID credit monitoring: it’s calling it “profiteering.”

No one should feel safe about this breach after one year. Typically, bad actors hold onto Personally Identifiable Information for a period of time with the intent of escaping the breach victim’s attention.

Indeed, bad actors can hold onto our PII for years: long enough for the Equifax breach, and the company’s jaw-dropping sloppiness before and after the breach, to fade from the headlines and from the collectively short attention span of Capitol Hill; long enough for some of us to get tired of the inconveniences of credit freezes and free up our credit so we can carry on with life as we take out mortgages, buy cars, apply for credit lines and so on.

If you’re thinking about joining a class action suit against Equifax, there are a few things to keep in mind.

For one, as pointed out by Consumer Reports, if you join a class action, alleging serious financial, physical, or other harm, you give up your right to sue a company on your own.

Keep in mind that proving an individual’s loss is going to be tough. Another proposed class-action lawsuit filed in Oregon accuses the company of negligence by failing to take appropriate measures to protect consumer data. It estimates billions of dollars in losses.

How much loss has any individual suffered? Well, that amounts to the grand total of $19.95 – the amount one of the Oregon plaintiffs paid for a third-party credit monitoring service after the breach was announced, according to the complaint.

Can anybody put a dollar sign on the amount of work and aggravation that somebody like Van Fleet has gone through to clean up her credit report and the onslaught of identity theft she’s suffered?

At this point, it’s up to lawyers, and the courts, to ascertain.




Source : Naked Security



Previous ArticleNext Article

Founder and Editor-in-Chief of ‘Professional Hackers India’. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Leave a Reply