Our privacy attorneys have filed a class action lawsuit alleging that Equifax failed to secure the personal information of up to 143 million Americans, including addresses, driver’s license numbers, dates of birth, credit card details, Social Security numbers, and other data.

Was Your Personal Data Stolen?

Call us at (800) 254-9493 or message us to learn about your legal rights and the lawsuit.

  • This field is for validation purposes and should be left unchanged.

(800) 254-9493

Hackers Had Access to Data from Mid-May through July

Equifax, one of the three largest credit reporting agencies, announced on September 7, 2017 that it had experienced a “cybersecurity incident potentially impacting approximately 143 million U.S. consumers.” Equifax said that the hacker had exploited a “website application vulnerability” to gain access to Equifax’s systems. According to Equifax, “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”

Also compromised, Equifax says, were “credit card numbers for approximately 209,000 U.S. consumers, and certain [credit] dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” Rick Smith, Equifax’s CEO, said that Equifax discovered the incident on July 29, 2017. Upon discovering the breach, Equifax “engaged a leading cybersecurity firm, Mandiant, to conduct a comprehensive forensic review to determine the scope of the intrusion.” According to Equifax, the forensic investigation determined that the hacker had gone undetected in Equifax’s systems from May 13 through July 30, 2017.

Equifax Failed to Patch Major Security Vulnerability

Equifax announced that the hacker’s “initial attack vector” was “a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application.” The vulnerability was made public and Apache released a patch on March 6, 2017. As The Hacker News reports, “Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw…” Companies that failed to implement the patch were “relatively easy” targets, according to Wired.

The day after discovering the breach, Equifax took the “affected web application” offline. Before hiring Mandiant, Equifax pinpointed the “vulnerability in the Apache Struts web application framework as the initial attack vector,” patched it, and brought the dispute portal back online. Click here for Equifax’s online dispute portal.

After Equifax’s announcement that the Apache Struts vulnerability had been the point of entry, Wired published, “Equifax Officially Has No Excuse.” Wired quotes cybersecurity researcher Bas van Schaik as saying:

This vulnerability was disclosed back in March. There were clear and simple instructions of how to remedy the situation. The responsibility is then on companies to have procedures in place to follow such advice promptly. The fact that Equifax was subsequently attacked in May means that Equifax did not follow that advice. Had they done so this breach would not have occurred.

LA Times, USA Today Contact GG Privacy Attorneys for Comment

National news outlets including the LA Times and the USA Today have reached out to our data breach attorneys for their insight on the origins and implications of the Equifax data breach.

Speaking to the LA Times about the breach, Eric said:

The one thing that has held consistent in recent years is there’s substandard internal practices that lead to these breaches,” said Gibbs, a partner at Girard Gibbs. “Time and time again, the [breaches] are then blamed on sophisticated hackers. But the sophistication of the hacker doesn’t have to do with it, it’s the internal practices.

Girard Gibbs privacy attorney David Berger further commented on the consequences of the breach for the LA Times, stating:

“There’s quite broad and serious potential harm over many years,” said David Berger, counsel at Girard Gibbs. “It’s particularly concerning.”

How to Check if You’re Affected by the Equifax Data Breach

Equifax has set up an official website that it says you can use to “[s]ee if your personal information is potentially impacted.” Equifax says it will not send individual notices to consumers except for 209,000 consumers whose credit card numbers were compromised, and the 182,000 consumers whose personal identifying information was stolen from credit dispute documents.

According to the site’s instructions, consumers whose information was impacted will be notified of that fact after clicking “Check Potential Impact,” and entering their last name and the last six digits of their Social Security number.

Consumers and news organizations, however, have reported that the site may not be accurate. Some individuals have reported that when they entered random or non-existent names and Social Security numbers, the site told them their information was impacted by the breach.

How Did Equifax Get My Information?

Equifax explains:

If you have opened a line of credit or an account with any “[c]redit card companies, banks, credit unions, retailers, [or] auto and mortgage lenders,” then those entities have all reported the details of your credit application—such as your Social Security number—to all three credit reporting agencies (Equifax, TransUnion, and Experian). The banks and lenders also report, on an ongoing basis, your credit activity and payment history to the three credit bureaus.

Our Leadership in Data Breach & Privacy

Our firm has represented plaintiffs in complex lawsuits involving some of the nation’s largest data breaches, including litigation against Anthem, Adobe, Home Depot, Excellus Blue Cross and Blue Shield, and Banner Health, among others. In the past, we have successfully represented consumers with data breach and privacy claims involving HealthNet and Certegy Check Services.

Eric Gibbs has established himself as a leader in emerging litigation involving data breach and privacy. He was court-appointed to the four-member leadership team in the Anthem Data Breach Litigation, which recently settled for $115 million, the largest data breach settlement in history (settlement pending final Court approval). Eric secured a landmark ruling in the Adobe Systems, Inc. Privacy Litigation, which makes it easier for plaintiffs to seek relief following a breach. He was recently selected from among a pool of attorneys from across the country to serve as co-lead counsel in the Vizio, Inc., Consumer Privacy Litigation.

Eric co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group, and has served as chair and organizer of several consumer privacy conferences on best practices and developments in consumer privacy litigation.