CUNA has made good on its promise to go after Equifax over the credit-rating bureau’s recent data breach.
On Wednesday, the credit union industry trade association filed a class-action lawsuit in a Georgia District Court against Equifax, alleging that financial institutions have suffered and will continue to suffer financial losses and increased data security risks as a result of the breach. According to the complaint, Army Aviation Center Federal Credit Union and Greater Cincinnati Credit Union joined CUNA as plaintiffs in the suit.
Army Aviation Center Federal Credit Union, headquartered in Daleville, Alabama, has $1.2 billion in assets and about 98,000 members. Greater Cincinnati Credit Union is a state-chartered credit union headquartered in Cincinnati, Ohio.
“We filed this lawsuit because our member credit unions are very concerned with the effects of this breach, everything from reissuing compromised cards to adding uncertainty to the loan underwriting process,” CUNA President/CEO Jim Nussle said in an announcement after the filing. “Credit unions will bear substantial costs dealing with the fallout from this breach, and this lawsuit is a step toward recouping costs and requiring stronger data security measures in the future.”
The Equifax breach, announced September 7, was first thought to affect 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver’s license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers. A subsequent forensic investigation announced on October 2 found that an additional 2.5 million U.S. consumers were affected, bringing to the total to 145.5 million people.
In an announcement before the filing, CUNA said credit unions and other financial institutions will likely have to shoulder these costs over the long term. They will also suffer reputational harm and have to bear the burden of notifying consumers of potential fraudulent activity, it added.
The complaint gave more detail about the expenses CUNA thought credit unions will have to bear.
“These costs include, but are not limited to, canceling and reissuing an untold number of compromised credit and debit cards, reimbursing customers for fraudulent charges, increasing fraudulent activity monitoring, taking appropriate action to mitigate the risk of identity theft and fraudulent loans and other banking activity, sustaining reputational harm and notifying customers of potential fraudulent activity,” it claimed.
“Equifax’s data security deficiencies were so significant that, even after hackers entered its systems, their activities went undetected for at least two months, despite red flags that should have caused Equifax to discover their presence and thwart, or at least minimize, the damage,” it alleged.
At least three credit unions have brought their own suits against Equifax so far. Madison, Wis.-based Summit Credit Union filed a class-action lawsuit against Equifax on September 11; Colorado Springs, Colo.-based Aventa Credit Union and New Castle, Pa.-based First Choice Federal Credit Union, along with the New Orleans-based Bank of Louisiana, filed their own class-action complaint against Equifax on September 22.
Summit Credit Union has $2.8 billion in assets and about 167,000 members. Aventa Credit Union has $175 million in assets and about 23,700 members; First Choice Federal Credit Union has $44 million in assets and about 6,700 members.
In a press release on September 15, Equifax said it believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
“With respect to the company’s security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements,” it said.
On October 2 statement about the conclusion of the company’s forensic investigation, newly appointed interim Equifax CEO Paulino do Rego Barros, Jr. said the company’s priorities are transparency and improving consumer support.
“I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements,” Barros added.
