The Office of the Indiana Attorney General is suing one of the world’s largest credit agencies after a 2017 cyberattack breached the personal information of millions of Hoosiers.
The lawsuit against Equifax seeks civil penalties, consumer restitution, costs and injunctive relief following the massive data breach that compromised the personal information of nearly 148 million Americans and nearly 4 million Hoosiers, Attorney General Curtis Hill announced Monday.
The breach occurred between May 13 and July 30, 2017 and was “entirely preventable” according to conclusions made during an investigation by the U.S. House of Representatives Committee on Oversight and Government Reform.
The congressional report said former Equifax CEO Richard Smith embarked on an “aggressive growth strategy” that resulted in the acquisition of multiple companies, information technology systems and data. That strategy, although successful for Equifax’s bottom line, ultimately “brought increasing complexity to Equifax’s IT systems, and expanded data security risks.”
The committee also found the company failed to implement an adequate security program to protect sensitive data, resulting in “one of the largest data breaches in U.S. history.”
Further, Equifax pursued aggressive cost-cutting measures that included the outsourcing of some of the company’s mission-critical systems, the lawsuit says. The outsourced contracts understaffed vital functions, and service level agreements contained in the contracts focused solely on revenue enhancing metrics.
Those agreements either ignored patching and vulnerability remediation or treated those responsibilities as relatively unimportant, the suit says.
Indiana’s lawsuit alleges the company chose to increase revenue instead of protecting its consumers by improving security measures at every logical opportunity, Hill’s office said.
“Data breaches such as this one cause real harm to real people,” Hill said in a statement. “Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities.”
The state’s complaint further alleges Equifax knowingly misrepresented its information security, was not compliant with Payment Card Industry data standards, and that it “misled every Indiana customer involved in a payment card transaction.”
“(Equifax) continues to break the rules even today continuing to expose consumers to risks without warning,” Hill’s office said. “Equifax continues to accept and process payment cards in its U.S. operations, despite the fact that as of April 29 its full U.S. operations still had not been certified as compliant, as required by the PCI rules.”
In an email to Indiana Lawyer, an Equifax spokesman said the company is reviewing Hill's complaint but cannot comment on pending litigation.