The scenario that personal finance and credit experts feared most about the heist of consumer data from Equifax may already be underway: Criminals are using the stolen information to apply for mortgages, credit cards, student loans, tapping into bank debit accounts, filing insurance claims and racking up substantial debts, according to a major new class-action suit.
The suit pulls together dozens of individual complaints from consumers in all 50 states plus the District of Columbia and suggests that cyber criminals aren’t wasting time using the Social Security numbers, credit card accounts, driver’s license numbers and other sensitive personal information they siphoned out of the credit bureau’s reputedly secure databases on 145.5 million Americans.
Filed in federal District Court in Equifax’s home territory of Atlanta, the suit is intended to create a giant national class-action against the company. It alleges violations of federal and state laws and cites claims by more than 50 individual plaintiffs whose information was hacked that significant financial damage already is occurring:
-- Bridgette Craney of Virginia says that since the Equifax breach, she has experienced “multiple fraudulent charges” on five of her credit card accounts and had two fraudulent store credit accounts opened in her name.
-- Robert Hunt of Georgia claims that he’s had multiple “unauthorized mortgages” applied for using his stolen information.
-- Jennifer Wise of Vermont says she’s been getting dunned by collection agencies for “loans that she never opened.”
-- Manuel Lucero of Mississippi says criminals have applied for student loans using his identity; Kyoko Yamamoto of New York claims “at least two” unauthorized charges have been made using her debit card; and Jasmine Guess of Louisiana says she’s had fraudulent insurance claims made using her stolen identity information.
The suit, Allen et al v. Equifax, alleges that the company “failed spectacularly” in its legal responsibilities to protect consumers’ confidential data. It also claims that the company failed to take steps to upgrade its security protocols, including installing a remedial “patch” provided by a software maker, and then delayed informing consumers about the breach, thereby preventing them from taking steps to minimize the damage.
Through Equifax’s negligence, according to the suit, cybercriminals gained access to data that now “permits thieves to create fake identities, fraudulently obtain loans, swipe tax refunds and destroy” consumers’ creditworthiness. Among the most vulnerable potential and actual victims: Home buyers and mortgage applicants who “tend to have significant information on file with credit bureaus,” and as a result are “especially at risk” for ID theft after the Equifax data breach.
A spokesperson for Equifax had no comment on the litigation. Attorneys representing the 50-plus individual plaintiffs in the suit also declined to comment. The potential size of the class represented by the suit is enormous -- “all residents of the United States whose personal information was compromised as a result of the data breach announced by Equifax.” The allegations include violations of the federal Fair Credit Reporting Act, the FTC Act, plus state consumer protection laws, deceptive practices and data breach rules, all of which are recounted in the 323-page filing, state by state.
The suit is particularly harsh in its criticism of Equifax’s alleged failures to heed red flags indicating that its systems were not secure. In April 2017, according to the suit, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months. Credit analytics firm FICO gave Equifax low marks on data protection -- an enterprise security score around 550 on a scale of 300 to 850. In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to the suit.
How might this giant class-action suit affect you? If you own a home, have a mortgage or received information from Equifax that your files were accessed, you are likely part of the class. You needn’t do anything to join. Keep in mind though: the case may sound like a slam dunk, but it might not be. Lawyers will need to demonstrate a link between plaintiffs’ claims of identity theft and the Equifax breach itself, which may be challenging to prove.
In the meantime, remember that it’s not too late for you to get defensive. If you’re like the vast majority of consumers who have not yet placed freezes on their files at Equifax, Experian, TransUnion and Innovis, consider doing so now. For information on how to proceed, go to https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs.
Kenneth R. Harney wrote this piece for The Washington Post.