Two more credit unions are suing Equifax for damages related to the credit-reporting agency’s recent data breach, court records show.
Colorado Springs, Colorado-based Aventa Credit Union and New Castle, Pennsylvania-based First Choice Federal Credit Union, along with the New Orleans-based Bank of Louisiana, filed the class-action complaint against Equifax in U.S. District Court on September 22. Similar to a separate class-action suit filed by Summit Credit Union on September 11, the three financial institutions allege that Equifax failed to secure its website, ignored warnings from security experts and took too long to disclose the breach.
Aventa Credit Union has $175 million in assets and about 23,700 members. First Choice FCU has $44 million in assets and 6,700 members. The financial institutions claimed they will incur “significant damages” related to card reissue, fraud and fraud prevention.
In their complaint, the two credit unions and Bank of Louisiana also highlighted growing concerns about whether hackers will target them next.
“The hackers were also able to access Equifax’s back-end servers, which are connected to financial institutions and enable the parties to share information digitally. Such an intrusion has left credit issuers, including plaintiffs, woefully exposed to the threat of hackers piggybacking off of Equifax’s lax security and entering its partners’ systems,” the complaint said.
The Equifax breach, announced September 7, affects 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver’s license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers.
The credit unions claimed that outdated software that supports the online dispute process may have contributed to the breach.
“The potential vulnerability of the Apache Strut software was no secret. Numerous entities identified and issued public warnings in March 2017 regarding the vulnerability, including The Apache Foundation, the U.S. Department of Commerce’s National Institute of Standards and Technology, and the U.S. Computer Emergency Readiness Team,” the complaint alleged.
The Apache Foundation made patches and workarounds available to protect against the vulnerability, but Equifax didn’t apply them for two and a half months, it said.
“The dire consequences of the increased risk of identity theft caused by Equifax’s failures cannot be overemphasized,” the complaint added. “With the information used to establish a legal identity now available to identity thieves for over 143 million consumers, lenders are at greatly increased risk of loan fraud and payment card transaction fraud, and are left to devise and implement, and pay for, their own prophylactic measures to reduce such risk.”
In a press release on September 15, Equifax said it believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
“With respect to the company’s security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements,” it said.
“Long-term security” may be the operative phrase for credit unions, according to the suit.
“Because Equifax provides services that are so core to the business functioning of credit extenders and lenders such as plaintiff and members of the proposed class, the true extent of the damage may take years to fully materialize,” it said.
