Nearly two years on, credit reporting agency Equifax is still dealing with the fallout of a massive data breach. The company has been named in numerous lawsuits related to the breach – and now the state of Indiana has joined the fray.
Indiana Attorney General Curtis Hill has filed a lawsuit against the credit reporting agency seeking civil penalties, consumer restitution, costs and injunctive relief for the breach. The data breach exposed the personal information of nearly 148 million consumers – including nearly 4 million Indiana residents, according to Hill’s office. Equifax discovered the breach in the summer of 2017 but did not make it public until months later.
“Data breaches such as this one cause real harm to real people,” Hill said. “Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities.”
The breach was one of the largest in history – and one that was “entirely preventable,” according to the House Committee on Oversight and Government Reform. The House committee blamed the breach largely on the aggressive growth strategy pursued by the credit agency’s then-CEO, Richard Smith. On Smith’s watch, the committee said, Equifax acquired “multiple companies, information technology (IT) systems, and data” that “brought increasing complexity to Equifax’s IT systems, and expanded data security risks.”
During the same period, Equifax also implemented aggressive cost-cutting measures, including the outsourcing of some “mission-critical systems,” according to Hill’s office.
“To save expenses, the outsourcing contracts understaffed vital functions, and the service level agreements contained in the contracts focused entirely on revenue enhancing metrics such as maintaining uptime,” Hill’s office said in a news release. “These agreements either ignored patching and remediation or treated those responsibilities as relatively unimportant.”
The state AG’s office said that Equifax was more concerned about making money than guarding consumer data.
“At every logical opportunity to improve security measures, Equifax’s leaders instead chose increasing revenue over protecting the safety of consumers’ sensitive personal information,” Hill’s office said.
In its latest quarterly earnings report, Equifax said that it disputes the allegations made in the “hundreds of class actions and other lawsuits” that have been filed against it and intends to defend itself against the accusations made in the suits. However, the company has set aside $690 million to help cover the losses it expects to take from the suits.