Madison, Wis.-based Summit Credit Union has filed a class-action lawsuit against Equifax on behalf of credit unions for damages related to the credit-reporting agency’s giant data breach disclosed earlier this month. The suit claims Equifax failed to secure its website, ignored warnings from security experts and took too long to disclose the breach, according to a complaint filed in U.S. District Court.
According to Summit CU, which has $2.8 billion in assets and about 167,000 members, the breach has left credit unions to shoulder the costs of cancelling and reissuing member cards, as well as the expense of lost business and fraud activity on member accounts.
Credit unions may also face new regulatory compliance costs as regulators request additional reports and plans in an effort to protect consumers, Summit alleged. Financial institutions will have to bear the burden associated with fraudulent new accounts created by identity thieves, too, it said.
“With the complete data sets that hackers have now acquired from the Equifax breach, criminals can use these stolen identities or create a new identity from scratch. They can then use this identity to apply for new lines of credit, loans, or other accounts with financial institutions,” Summit claimed. “With a breach of this magnitude, there is virtually no limit to the amount of fraudulent account openings financial institutions may face.”
The Equifax breach, announced September 7, affects 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver’s license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers.
Outdated software may have contributed to the breach, Summit claimed.
“From mid-May to late July of 2017, hackers exploited a vulnerability in Equifax’s U.S. web server software to illegally gain access to certain consumer files. Investigators believe that the point of entry may have been a software application called Apache Struts,” Summit alleged in its complaint. “The potential vulnerability of the Apache Strut software was no secret. Security researchers with Cisco Systems Inc. warned in March 2017 that a flaw in the Apache Struts software was being exploited in a ‘high number’ of cyberattacks. Despite this warning, Equifax continued to use the software. And Equifax was reportedly using an outdated version of Apache Struts at the time of the data breach.”
In a press release on September 15, Equifax said it believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
“With respect to the company’s security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements,” it said.
There are more than 100 class members in Summit’s class-action suit, and the damages exceed $5 million, according to the filing.
