Equifax faces two distinct class actions claiming tens of billions of dollars over the data breach it revealed last Thursday.
The first class action was filed on Thursday in Atlanta, where Equifax is based. It came from attorneys at Tampa-based firm Morgan & Morgan, and also sees the participation of Roy Barnes, former governor of the State of Georgia.
A second lawsuit was submitted in Oregon, also on Thursday, by lawyers from West Coast-based firms Geragos & Geragos and Olson Daines. They’re claiming a customer damage compensation of some $70bn (£58bn).
The credit rating agency was first compromised in May, and only discovered the vulnerability at the end of July. More than a month later on the 7th September, it announced hackers had accessed 143m records, as well as 209,000 credit card numbers.
The Oregon lawsuit reads: “In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect [customers’] information from unauthorized access by hackers … Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
It said claimants “hope Equifax will use this massive data breach, and their subsequent lawsuit, as a teachable moment to finally adopt adequate safeguards to protect against this type of cyber-attack in the future”.
After the breach, Equifax made available a tool, called TrustedID Premier, which let clients check whether their data had been hacked. However, the terms for accessing the tool contained a clause preventing users from joining any form of class action. Equifax quickly amended the terms to allow for lawsuits regarding the data breach incident.
The scandal sent Equifax’s shares plummeting, and stood at $122 on Monday, down 17% from before the announcement.
Three executives at the company reportedly sold $2m worth of shares after the breach was discovered, but Equifax denies they had any insider knowledge of the hack.