Congress Calls for Hearings; Security Watchers Call for CEO’s Resignation
The massive Equifax data breach has already led to the filing of at least two lawsuits seeking class-action status. One of the lawsuits, filed in Portland, Oregon, is demanding up to $70 billion in damages.
See Also: How to Scale Your Vendor Risk Management Program
The lawsuits are just one measure of the fury generated by Equifax – one of the three biggest U.S. data brokers – revealing Thursday that it suffered a breach, beginning in May, that exposed to hackers 143 million consumers’ personal details, including information that could be used to commit identity theft.
In its alert issued Thursday, Equifax said that it discovered the breach July 29 and launched a website that consumers can use to see if their data was exposed. The company is offering all U.S. consumers one year of prepaid credit monitoring, which includes freezing their credit reports on Equifax. But it has not offered to do the same with consumers’ credit reports at other data brokers.
Almost immediately following the breach notification, affected consumers began filing lawsuits. Meanwhile, attorneys general in at least five states – including New York and Illinois – have also announced formal breach investigations. And several Congressional committees are launching or eyeing breach-related hearings. Equifax has also promised to work with regulators in Canada and the United Kingdom, where some victims reside.
Hardest hit by the breach, however, were those who live in the U.S. The breach exposed information on nearly half of all U.S. adults, including names, birthdates, addresses, Social Security numbers and in some cases, driver’s license numbers. All of that data is regularly used to verify an individual’s identity, and thus it’s also valuable for identity thieves.
“The quality of data potentially compromised is very valuable to cybercriminals,” cybersecurity attorney Imran Ahmad tells Information Security Media Group. “What these guys are looking for is high value bits of information. The reason they like this type of data is because they can easily on the darknet sell these and create virtual profiles and sell them to others.”
Following the breach notification, some officials urged all victims to think about immediately freezing their credit.
On Saturday, for example, the office of New York Attorney General Eric Schneiderman sent an email recommending that state residents “consider placing a credit freeze on your [credit] files,” and noting that “a credit freeze makes it harder for someone to open a new account in your name.” The office also warned that breach victims will be at increased risk from tax-return fraud because their Social Security numbers were stolen (see IRS Disables Hacked PIN Tool).
Similarly, Ohio Attorney General Mike Dewine recommended that consumers “consider placing a security freeze on your credit report,” noting that in Ohio, such freezes are “permanent until you lift them.” Dewine noted that credit reports must be frozen with each individual agency – including Experian or TransUnion – and that they could each charge $5 for the freeze (see Latest Equifax Bungle: Predictable Credit Freeze PINs).
Equifax faces at least five formal investigations by state attorneys general, which could levy penalties. Schneiderman’s office, for example, notes that under state law, “the attorney general’s office investigates data breaches to determine if customers were properly notified of the breach and if the entity had appropriate safeguards in place to protect customers’ data.”
Numerous security watchers have called for Equifax to publicly atone for the breach – and do so quickly – and have called on anyone who has a choice of data brokers to immediately stop working with Equifax. Some also want to see Equifax CEO Richard Smith ousted.
“Smith should resign. If he does not, his board should fire him,” says information security expert William Hugh Murray, who’s a senior lecturer at the Naval Postgraduate School.
Three other Equifax executives sold stock in the company after it learned of the breach, but before it issued a public notification (see Equifax Breach: 8 Takeaways).
The U.S. Securities and Exchange Commission declined to comment to ISMG about whether it will investigate the timing of those stock sales.
Equifax has released a statement saying that the executives – including its chief financial officer – had been unaware that the breach had occurred when they sold shares.
Murray, meanwhile, recommends the three “resign and flee the country before the Feds come after them for insider trading.” And for good measure, he adds, “the CISO should update his resume.” As ISMG has previously reported, however, that job position was, until recently, being advertised as vacant.
Lawsuit Seeks Up to $70 Billion
Equifax already faces at least two lawsuits over the breach – one filed in Atlanta, the other in Portland, Oregon.
The latter, launched by Mary McHill from Portland and Brook Reinhard from Eugene, seeks class-action status on behalf of everyone affected by the breach and demands damages of as much as $70 billion. It was filed by law firm Olsen Daines PC, together with Geragos & Geragos, which Bloomberg reports is a law firm known for launching splashy, high-octane class actions.
“This complaint requests Equifax provide fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services,” according to the complaint.
Reinhard, for example, says that he spent $19.95 to buy “third-party credit monitoring services he otherwise would not have had to pay for.”
The lawsuit also alleges that Equifax failed to invest sufficiently in its information security program. “In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect [individuals’] information from unauthorized access by hackers,” according to the complaint. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyberattacks but chose not to.”
Many breach-related lawsuits, however, have failed, with the cases often being dismissed because plaintiffs failed to prove they suffered unreimbursed financial losses (see Why So Many Data Breach Lawsuits Fail).
Congress Promises Hearings
Equifax executives can also expect to appear before Congress as a result of the breach.
On Thursday, House Financial Services Committee Chairman Jeb Hensarling, R-Texas, labeled the breach “troubling” and said he would set a date for his panel’s hearing.
The House Energy and Commerce Committee also plans to hold a hearing.
“This unprecedented data breach could impact tens of millions of Americans and raises serious questions about the security of our personal information online,” Rep. Greg Walden, R-Oregon, the committee’s chairman, said in a statement Friday, The Hill reports.
“After receiving an initial briefing from Equifax, I have decided to hold a hearing on the matter so that we can learn what went wrong and what we need to do to better protect consumers from serious breaches like this in the future,” he added.
Also Friday, Rep. Ted Lieu, D-California, wrote a letter to the Judiciary Committee, on which he serves, calling for it to hold hearings.
“In light of recent events, I request the committee call upon representatives from the ‘Big Three’ credit reporting agencies – Experian, TransUnion, and Equifax – to testify not only on the breach that occurred in May 2017, but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future,” he writes.
But Equifax is reportedly having trouble dealing with the volume of inquiries it’s facing from consumers concerned about the breach.
One U.S. consumer, Amy Yoakum, told The Guardian that she’d called the breach hotline Equifax created nine times and was disconnected each time before she finally was able to get placed on hold, whereupon she waited 23 minutes before an operator told her that she would only be able to access information by visiting Equifax’s breach information website.
“He said he is a contractor and had been instructed to direct everyone back to the website. He had no access to my account and told me all of the other agents were getting a lot of frustrated callers today,” Toakum told the newspaper.