Lately, Equifax has been hit by lawsuits brought by individuals angry that their personally identifying information (PII) and payment card information was exposed to hackers in a recent data breach. This class action, however, is being brought by Gulf Winds Federal Credit Union, on behalf of financial institutions that have suffered losses in connection with he data breach.
The class for this action is all banks, credit unions, and financial institutions in the US that provide banking products and services to customers or members whose personal information was collected by Equifax and was compromised during the 2017 breach of Equifax’s website.
The complaint for this class action says that the data breach began in mid-May 2017 and that Equifax discovered it on July 29, 2017, but that it did not announce it until September 7, 2017. Why wait so long after the breach had been discovered? According to the complaint, three executives of the company were selling their shares of Equifax stock, which was likely to take a hit when the massive data breach was announced.
The complaint alleges that Equifax was negligent in failing to safeguard the confidential information that it collected, because the company had failed to do anything about warnings from security experts about vulnerabilities of the Apache Struts software it used, and because it had failed to update software to close a loophole that was already known at the time of the data breach.
In all, some 145 million consumers had their information compromised during the data breach, and according to the complaint, such a large exposure poses problems and requires extra expenses not only for the individuals involved but for their banks, credit card issuers, and other financial institutions.
Plaintiff Gulf Winds provides consumer loans, processes transactions, and issues credit and debit cards to consumers. According to the complaint, it has had to address Compromised Account Management System (CAMS) alerts about customer credit card accounts, and Gulf Winds has incurred expenses in cancelling and reissuing many of its credit cards and in monitoring affected credit cards.
In addition, the complaint alleges, it has had to spend time talking to affected customers, adding to fraud oversight measures, working to prevent fraud on consumer accounts, and helping members reduce potential damages. Among other things, the complaint says, it has had to review and revise its remote member-validation procedures, which will require longer call times and possibly the hiring and training of additional employees.
The complaint points out that measures to prevent fraud due to the data breach are likely to continue for years to come.