On Thursday, the company announced that hackers had stolen Social Security numbers and other personal information belonging to 143 million people, leaving them potentially vulnerable to identity theft and fraud. Victims of the breach in Oregon have now filed a multibillion-dollar lawsuit.
“Plaintiffs file this complaint as a national class action on behalf of over 140 million consumers across the country harmed by Equifax’s failure to adequately protect their credit and personal information,” the complaint reads. Greg Otto from Cyberscoop shared a copy of the document online.
Individual Oregon consumers Mary McHill from Portland, and Brook Reinhard from Eugene filed the suit. “Equifax owed a legal duty to consumers like Ms. McHill and Mr. Reinhard to use reasonable care to protect their credit and personal information from unauthorized access by third parties. Equifax knew that its failure to protect Ms. McHill and Mr. Reinhard’s credit and personal information from unauthorized access would cause serious risks of credit harm and identity theft for years to come,” the complaint stated.
The complaint claims that the lawsuit could have cost implications of $68.6 billion.
According to Equifax’s announcement, hackers accessed names, Social Security numbers, dates of birth, physical addresses, and driver’s license numbers, as well as around 209,000 U.S. consumers’ credit-card numbers in between May and July of this year. The breach also affected a number of customers in the U.K.
Bloomberg News reported that three Equifax executives unexpectedly sold company stock several days after Equifax first learned of the data breach, but before revealing it to the public. In response to news of the breach, Sen. Mark Warner (D-VA) has called for legislation requiring companies to inform consumers of similar hacks.
It in its announcement, the company says the hackers used a “website application vulnerability” to access the data.
At the time of writing it is not entirely clear which flaw the hackers may have taken advantage of, but researchers have found a slew of security issues with Equifax’s systems. They include servers with critical vulnerabilities that would allow attackers to run their own code, and basic, unfixed bugs in the company’s website.
“Consumers like Ms. McHill and Mr. Reinhard should not have to bear the expense caused by Equifax’s negligent failure to safeguard their credit and personal information from cyberattackers,” the lawsuit said.
Equifax did not respond to a request for comment.