Firm News & Events arrow Equifax Data Breach Draws Class Action Lawsuit: What You Need to Know

Paul M. D'Amore
Paul M. D'Amore

Founding Member, Trial Lawyer

Equifax Data Breach Draws Class Action Lawsuit: What You Need to Know

A number of proposed class actions are rapidly accruing against the credit report company, Equifax, after personal information of its 143 million U.S. consumers had been compromised by a cyber security breach. In a bombshell news story that hit the media earlier this month, Equifax announced that hackers perpetuated the data breach and an investigation is ongoing.

As one of the three biggest credit-reporting companies in the country, Equifax stores data belonging to more than 820 million consumers and 91 million businesses, as well as employee data submitted by more than 7,100 employers.

Here’s what you need to know:

  • Equifax first became aware of the breach on July 29th, the company did not publicly disclose the cyber attack until September 7th.
  • The hackers may have gained access to a variety of personal information such as customers’ names, Social Security numbers, birthdates, addresses, credit card numbers, and driver’s license identification numbers.
  • It is estimated that the data breach has potentially disclosed information on nearly 44% of the U.S. population, which does not include the other possible victims from the U.K. and Canada.
  • Considered one of the worst data breaches on record, it is no wonder that the lawsuits have been rapidly rolling in.

Less than 24 hours after Equifax made its big reveal, a proposed class action lawsuit was filed in a federal court in Portland, Oregon. The suit alleges that Equifax made money at the cost of its customers’ protections. The complaint states: “In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect [the plaintiffs’] information from authorized access by hackers.”

The lawsuit is seeking up to $70 billion in damages, slating this to be the largest class actionin U.S. history. At least 23 other proposed class actions have been filed, with the number estimated to increase as more information is disclosed. The lawsuits name either Equifax or their subsidiary, Equifax Information Services as defendants and alleged a variety of legal claims such as security negligence and failure to timely warn customers about the breach.

After Equifax made its announcement, its customers were obviously panicked that their personal information was stolen. In response, Equifax set up a website,, where the customers can check if their data has been compromised. The company also offers a free year of credit monitoring, through TrustedID, a company owned by Equifax, to customers that were victims of the attack.

One lawsuit filed in California federal court alleges that Equifax’s offer to register its customers was done in the hope of “baiting consumers into signing up for its services” and turning “its failure to protect consumers’ sensitive data into a clandestine money-making opportunity.”

Another problem with customers using Equifax’s website to check on the status of their information is the terms of service that they must agree to prior to signing in. As part of the terms of the site, customers agree to an arbitration clause and waive the right to join any class action lawsuits against the company. Some reports have indicated that these terms only apply to lawsuits against TrustedID, not Equifax. However, Equifax’s own terms of services broadly states that any customers who use “all other websites owned and operated by Equifax and its affiliates” from joining a class action.

Adding yet another facet to the confusion, a clause in the company’s terms of service exempts claims that fall under the Fair Credit Reporting Act from the arbitration clause. Legal scholars and consumer protection experts have already begun opining as to the enforceability of these arbitration clauses. As Ira Rheingold, executive director of the National Association of Consumer Advocates, states:

“It seems to be pretty outrageous to say, ‘Hey, I’m looking at your website to look up whether or not I’m a victim, and therefore when I look to see if I’ve been harmed by you, just by looking I’ve now found myself to not go to court,’ I think that may be a bridge too far, even for our courts.”

How Did This Happen?

It is unclear what exactly caused this massive data breach and the question will certainly be explored in depth as more lawsuits unfold and the experts weigh in. But a brief look into Equifax’s history may offer some clues.

In 2016, Equifax’s W-2 Express website suffered a data breach that caused the exposure of 430,000 names, addresses, social security numbers, and other kinds of personal information of the retail firm, Kroger. The $5 million class action lawsuit was eventually dismissed on the contingency that Equifax cease use of a potentially hazardous security measure that required client employees to access their data with a PIN number consisting of the last four digits of their social security number and their four-digit birth year, numbers that could be easily accessible to a hacker.

In May 2017, it was reported that hackers had, in fact, gathered personal information on the employees to reset their PIN numbers, access their accounts, and steal tax data. The attack occurred from April 17, 2016 until March 29, 2017.  Earlier this year, Equifax also disclosed that credit information of a number of customers was leaked on the online portal of its partner, LifeLock. Another breach occurred between April 2013 and January 2014, which Equifax reported to the New Hampshire attorney general, after an IP address operator was able to access credit reports through the company’s identity verification.

Throughout Equifax’s history of data breaches, cyber security experts have uncovered faults and vulnerabilities in the company’s security measures. Back in 2016, a researcher discovered cross-site scripting (also referred to as XSS) on Equifax’s website, which allows hackers to send out links, which when clicked by the customer, exposes their username and password.

In light of the recent data breach, other experts have researched Equifax and discovered the company is running a number of old technologies on its website, including a source code that links to Netscape, the defunct web browser that was discontinued in 2008. Another cybersecurity engineer reported that Equifax was using out-of-date Java software that contributed to the security breach.

 Massive, precedent-setting class action lawsuits are not the only consequence of the Equifax security breach. The $17 billion company will likely be the focus of a Congressional inquiry, as the House Judiciary Committee and the House Financial Services Committee may call for an investigative hearing.  New York Attorney General Eric Schneiderman has also launched a formal investigation. The Consumer Financial Protection Bureau is looking into the breach as well. As Equifax’s stock prices plunge and the number of lawsuits increase, the questions surrounding the biggest security breach in U.S. history will continue to grow.

More Cases Posts

Birth Injury Statistics: The Dangers of Oxygen Deprivation at Birth

Seven of every 1,000 babies born in the US suffer from a birth injury. Many of those injuries are caused by negligence or medical malpractice and could have been avoided. One of the most common and dangerous types of birth injuries is oxygen deprivation. Sadly, it's also one of the most avoidable infant injuries. 

Maryland Personal Injury Attorneys Are NOT Allowed to Call Themselves Experts

Maryland lawyers must tread carefully when advertising their services. In fact, Maryland attorneys are cautioned against using the words specialist or expert to describe or advertise the types of cases they handle.  While this protects consumers from false advertising, it leaves many lawyers and their potential clients in a difficult situation. When lawyers can't adequately describe their services, the people who need them are less likely to find a lawyer with significant experience in a particular area.

$57 Million Plaintiff Award in Philadelphia Transvaginal Mesh Trial

On September 7th, a Philadelphia jury awarded plaintiff Elle Ebaugh a $57 million award in her case against Johnson & Johnson subsidiary Ethicon Inc., manufacturers of a of an allegedly defective pelvic mesh product that left Ebaugh with permanent damage to her urinary tract.

The landmark verdict is the largest plaintiff award so far handed

Contact Us

If you or a loved one has been injured by someone else’s negligence, contact us immediately.

Baltimore Office

200 E Pratt Street, Suite 4100
Baltimore, MD 21202

Local: 410-324-2000

Fax: 443-782-0700

Annapolis Office

888 Bestgate Road, Suite 205
Annapolis, MD 21401

Local: 410-324-2000

Fax: 443-782-0700

Washington, D.C. Office

1200 G Street NW, 8th Floor
Washington, D.C. 20005

Local: 202-780-9000

Fax: 443-782-0700