- Office of Attorney General Maura Healey
Media Contact for AG Healey Sues Equifax
Boston — Following a major data breach at credit reporting firm Equifax Inc., Attorney General Maura Healey today filed the nation’s first enforcement action over the company’s failure to protect sensitive and personal information of nearly three million Massachusetts residents.
“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” said AG Healey. “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”
According to Equifax, the breach reported earlier this month potentially compromised the personal information of 143 million consumers nationwide, including nearly three million Massachusetts consumers. AG Healey immediately launched an investigation to determine the scope of risk to consumers and whether the company had proper safeguards in place to protect consumer information and issued guidance for consumers in the wake of the data breach.
Last week, AG Healey announced her intent to sue the company.
The complaint, filed today in Suffolk Superior Court, alleges that Equifax did not maintain the appropriate safeguards to protect consumer data in violation of Massachusetts consumer protection and data privacy laws and regulations.
According to the complaint, between at least March 7, 2017 through July 30, 2017, Equifax left sensitive and private consumer information exposed to intruders by relying on certain computer code that it knew or should have known was vulnerable to exploitation without having in place safeguards sufficient to prevent the consumer data it stored in its system.
The AG’s complaint alleges that still-unknown third parties infiltrated Equifax’s computer system through “Dispute Portal” – a page on its website that allows consumers to submit information to initiate and support a formal dispute of information in their credit reports.
Once in, the unauthorized third parties were able to access and likely stole consumer information from Equifax’s network. The hackers were present in Equifax’s system from at least May 13, 2017 through the end of July 2017 without Equifax detecting them and potentially stole the sensitive and personal information of 143 million consumers.
Further, although fixes for the computer code vulnerability were available to Equifax and posted on at least one U.S. Government website, the company failed to implement the recommended fixes, or otherwise put in place other safeguards and security controls, such as encryption, that would sufficiently protect consumers’ personal data.
According to the lawsuit, Equifax also failed to provide timely notice to the AG’s Office and to affected consumers, as required by Massachusetts law. The company knew about the breach around July 29, 2017, yet did not notify the AG’s Office or consumers until Sept. 7, 2017.
The AG’s lawsuit seeks civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees. The AG’s Office also seeks injunctive relief to prevent harm to Massachusetts residents resulting from the company’s actions and inaction.
Equifax is a credit reporting firm that businesses rely on to make decisions about the credit worthiness of consumers, therefore affecting whether consumers can buy a house, acquire a loan, lease a vehicle, or even get a job. Consumers have little to no control over the information that Equifax acquires about them.
Consumers who believe that they are victims of identity theft should take additional steps to protect their credit and personal information. For more information go to the Federal Trade Commission’s step-by-step guide at https://identitytheft.gov/.
This case is being handled by Sara Cable, Director of Data Privacy & Security, as well as Assistant Attorneys General Jared Rinehimer, and Michael Lecaroz, all of the AG’s Consumer Protection Division, and Investigator Anthony Crespi.