The credit union industry’s largest national trade association, CUNA, announced Friday that it plans to file a lawsuit against Equifax over the credit bureau’s massive data breach.
“Equifax needs to be held accountable for this massive data breach that gave hackers access to the personally identifiable information of 143 million Americans and the credit card information of 209,000 people,” CUNA president and CEO Jim Nussle said in a statement. “Equifax’s disregard for protecting this highly sensitive data means credit unions are left bearing the brunt for damages in replacing members’ cards payment cards, covering fraudulent purchases and taking protective measures to reduce risk of identity theft and false loans.”
CUNA said credit unions and other financial institutions will likely have to shoulder these costs over the long term. They will also suffer reputational harm and have to bear the burden of notifying consumers of potential fraudulent activity, it added.
At least three credit unions have brought their own suits against Equifax so far. Madison, Wisconsin-based Summit Credit Union filed a class-action lawsuit against Equifax on September 11; Colorado Springs, Colorado-based Aventa Credit Union and New Castle, Pennsylvania-based First Choice Federal Credit Union, along with the New Orleans-based Bank of Louisiana, filed their own class-action complaint against Equifax on September 22.
Summit Credit Union has $2.8 billion in assets and about 167,000 members. Aventa Credit Union has $175 million in assets and about 23,700 members; First Choice Federal Credit Union has $44 million in assets and about 6,700 members.
The Equifax breach, announced September 7, affects 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver’s license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers.
CUNA has not formally filed its lawsuit yet, but the credit unions that have done so claimed in their complaints that outdated software may have contributed to the breach.
According to the complaint in the Aventa and First Choice case, software supporting Equifax’s online dispute process was allegedly the culprit.
“The potential vulnerability of the Apache Strut software was no secret. Numerous entities identified and issued public warnings in March 2017 regarding the vulnerability, including The Apache Foundation, the U.S. Department of Commerce’s National Institute of Standards and Technology, and the U.S. Computer Emergency Readiness Team,” it said.
The Apache Foundation made patches and workarounds available to protect against the vulnerability, but Equifax didn’t apply them for two and a half months, they alleged.
In a press release on September 15, Equifax said it believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
“With respect to the company’s security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements,” it said.
