Credit Union Sues Equifax Over Breach-Related Fraud CostsLawsuit Seeks Reimbursement for Breach-Related Fraud, Card-Reissuing Costs
A Wisconsin-based credit union is seeking class-action status for a lawsuit against credit bureau Equifax, which is already facing dozens of consumer-focused lawsuits following the company warning that it had exposed a massive amount of U.S. consumer data in one of the worst breaches ever seen.
See Also: The Global State of Online Digital Trust
Summit Credit Union filed the lawsuit on Sept. 11 in federal court in Atlanta, home to Equifax's headquarters.
Among other contentions, the lawsuit accuses Equifax of negligent business practices by failing to secure its website as well as violating section 5 of the FTC Act, which concerns unfair or deceptive business practices.
Equifax says it can't comment on the lawsuit. "We remain focused on helping our customers, as well as their employees and consumers, to navigate this situation," says Wyatt Jefferies, Equifax's senior director of public relations.
Summit, which has 34 branches in Wisconsin, has 162,000 members. The credit union alleges that the leak of payment card details, as well as sensitive personal information, means it and other institutions will have to shoulder the cost of replacing at-risk payment cards and covering the costs of fraud relating to identity theft committed using the stolen data.
The lawsuit indicates that as a result of the breach, Summit and other institutions may have already moved to cancel and reissue cards to their members and changed or closed some at-risk customer accounts.
Due to these fraud and card-reissuing costs, Summit's lawsuit says it's seeking "costs, restitution, damages, and disgorgement in an amount to be determined at trial." The lawsuit also requests an injunction from the court "requiring Equifax to use adequate security measures to protect its websites and computer systems from attacks by hackers and to prevent future unauthorized access of consumers' sensitive personal and financial information."
Bungled Breach Response
Equifax announced on Sept. 7 that attackers had exploited a vulnerability in one of its web applications to steal personal details on 143 million U.S. consumers. The personal information included names, birthdates, addresses, Social Security numbers and in some cases driver's license numbers (see Equifax: Breach Exposed Data of 143 Million US Consumers).
Also exposed were 209,000 payment card details and documents related to credit disputes that affected 182,000 people.
Later, Equifax said the exposure also affected 400,000 U.K. consumers and 100,000 Canadian consumers. The FBI has launched a criminal investigation into the hack itself, while Equifax is facing investigations by at least 40 state attorneys general, probes by the Federal Trade Commission and the U.S. Securities and Exchange Commission, as well as inquiries from regulators in Canada and the United Kingdom.
Equifax has been accused of mishandling its breach response in multiple ways. The company delivered its breach notification about six weeks after it discovered the intrusion in late July and began to block attackers' access by patching a well-known vulnerability in Apache Struts - an application development framework.
That means that Equifax had failed to patch the Struts vulnerability for more than four months after it became public knowledge in early March, when Apache immediately issued an updated version of Struts that fixed the flaw (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
After an organization discovers it may have been breached, many security experts say that taking 30 to 45 days to issue a breach notification is entirely reasonable, because organizations should ensure they provide affected consumers with precise details of the problem and the exact steps they can take to protect themselves.
As part of its breach notification, Equifax created a website - www.equifaxsecurity2017.com - designed to give consumers breach-related information. But it was plagued, at least initially, by technical problems. The site also required consumers who wanted to see if they were breach victims to enter part of their Social Security number, which was a questionable request from the very same organization that had failed to safeguard such information in the first place.
Equifax's staff also mistakenly directed some U.S. consumers, via tweets, to a lookalike breach notification site - securityequifax2017.com - created by a security researcher to demonstrate how easy it would be to trick consumers into thinking they were visiting Equifax's legitimate site (see Equifax's May Mega-Breach Might Trace to March Hack).
Proving Damages, Fraud Losses
A major difficulty in consumers' class-action lawsuits over data breaches is that many judges have held that plaintiffs can only prove "injury" or "harm" if they can demonstrate that a leak from a specific data breach led to unreimbursed fraud.
Banks, meanwhile, must prove that they faced out-of-pocket costs as a result of the breach. But proving that the breach led to a specific case of identity theft or card fraud could be difficult, because cybercrime marketplaces are awash in sales of personally identifiable information. It's not a stretch to say that the PII leaked by Equifax may have already been at large for millions of the affected U.S consumers. The value of such information for criminals is that it can be used to perpetrate so-called new account fraud, in which a fraudster registers accounts or takes out new lines of credit in someone else's name.
"I think it would be very difficult, if not impossible, for banks to attribute any new account or PII-related fraud - e.g. account takeover that leverages stolen PII data - to the Equifax hack," says Avivah Litan, a vice president with analyst firm Gartner.
As a result, credit unions and other financial institutions may very well have to shoulder costs related to the Equifax breach, she says. And this is what Summit Credit Union contends in its breach lawsuit, saying that because of the data exposure, there's "virtually no limit to the amount of fraudulent account openings financial institutions must face."
"Financial institutions are responsible for all charges to these fraudulently opened accounts," Summit contends in its lawsuit. "The losses associated with these newly opened accounts only increase over time."
MasterCard and Visa May Reimburse Banks
If proving that the Equifax breach led to specific cases of fraud may be difficult, Summit and other institutions that sign on to the lawsuit may have better luck with the leak of 209,000 payment card numbers. Equifax says the breach began in mid-May and ran through July 30, which gives banks a time frame to potentially correlate with any spike in card fraud.
Litan says payment card companies, including MasterCard and Visa, will reimburse financial institutions' costs relating to demonstrable fraud and reissuing cards exposed in a breach. The payment card companies then typically sue breached businesses to recover such reimbursements.
Target, for example, which lost 40 million payment card details in late 2013, settled with Visa in 2015 for $67 million for fraud losses and breach-related expenses. The retailer also later that year settled with MasterCard and issued banks for $39.4 million.
It's unclear what types of penalties or damages Equifax might face from any and all banks' and card companies' lawsuits - never mind consumer lawsuits and regulatory probes - meaning that the data broker cannot yet tally the full financial repercussions it faces following its massive data breach.
Executive Editor Mathew Schwartz contributed to this story.