A class action securities fraud lawsuit has been filed against Equifax.
The class action was filed by law firm Levi & Korsinsky last Friday (September 8), the day after the credit reference agency announced it had been hit with a cyber security attack affecting 143 million consumers.
The suit has accused Equifax of misleading shareholders about its ability to protect consumer data, and inflating its financial statements and share price, before the security breach became known.
It has been filed on behalf of shareholders who purchased shares between February 25 2016 and September 7 2017. The action is being taken against Equifax as well as some of its individual executives including John Gamble, Equifax’s chief financial officer, and Richard Smith, chairman and chief executive of the company.
The filing from Levi & Korsinsky demands a trial by jury.
On September 7, Equifax declared it had been the victim of a cyber security attack which exploited a website application vulnerability to gain access to consumer files including the names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers and credit card numbers for some consumers.
Equifax said it discovered the attack on July 29 and acted immediately to stop the intrusion by hiring an independent cyber security firm to carry out a forensic investigation.
The suit alleges that according to regulatory filings from early August, Gamble and two other executives sold a collective $1.78m in Equifax stock, just days after Equifax discovered the breach.
At the time the breach became public (September 7), Smith apologised: “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do…While we’ve made significant investments in data security, we recognize we must do more. And we will."
This week (September 11), two US senators, Orrin Hatch, chair of the Finance Committee, Ron Wyden, called on Equifax to respond to 13 questions in regards to the security breach.
The questions included queries around the process Equifax undertook when it discovered the breach, the safeguards it had in place and how it aims to identify all the consumers who have had personal information compromised.
The senators also want to know whether U.S. government agency records were compromised in the hack. They have requested a response by September 28 2017.
Equifax has also identified unauthorised access to personal information for certain UK and Canadian residents. The company said it will work with UK and Canadian regulators to determine appropriate next steps.
Commenting on the cyber attack last week, James Dipple-Johnstone, deputy commissioner at the Information Commissioner’s Office, said: "We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised. We will be advising Equifax to alert affected UK customers at the earliest opportunity.”
The investigation remains ongoing and is expected to be completed in the coming weeks.