On September 7, Equifax announced a massive cyber breach that affected 143 million consumers. The intruders accessed information that includes consumers’ names, addresses, Social Security numbers, birth dates, and driver’s license numbers.
Equifax claims the cause of the breach was a vulnerability in Apache Struts. Many companies use this open-source platform to create Java web applications.
Equifax explained that the hackers exploited the Apache Struts CVE-2017-5638 vulnerability. However, in March, NIST announced the vulnerability in its National Vulnerability Database. The Apache Software Foundation confirmed that Equifax failed to install the patches to fix the vulnerability.
Legal Actions
Victims of the breach are already filing lawsuits. The City of San Francisco filed a lawsuit that alleges Equifax violated the California state breach law by not implementing reasonable security measures. San Francisco is seeking millions of dollars in civil penalties and consumer restitution.
So far, court records show that the majority of plaintiffs did not allege they were victims of stolen identity. Most courts require a theft of sensitive personal information to establish standing for a lawsuit. To prevail, plaintiffs will need to present evidence showing they were harmed as a result of the Equifax breach.
Free Credit Services for Victims
Equifax is offering the breach victims one year of free credit monitoring services. The enrollment period begins when an affected consumer activates the service. The deadline to enroll is January 31, 2018.
Consumers can find out if the breach impacted them on Equifax’s website. To receive an instant answer, each consumer must provide their last name and the last six digits of their Social Security number.
If the breach affected a consumer, the site returns a message that says, “Based on the information provided, we believe that your personal information may have been impacted by this incident.” At that point, the consumer may enroll in TrustedID Premier for a complimentary one-year subscription.
TrustedID Premier provides “identity theft protection and credit file monitoring” and includes 5 offerings:
- An Equifax credit report
- An Equifax credit report lock
- Credit file monitoring with Equifax, Experian, and TransUnion
- Social security number monitoring
- $1 million dollars of identity theft insurance
Ongoing Investigations
Equifax’s massive cybersecurity breach puts a spotlight on its competence as an organization to manage consumer data. Currently, several agencies are investigating the Equifax breach including the FBI, the FTC, the SEC, and most state attorneys generals.
For more information about the Equifax breach, visit these links:
Equifax Officially Has No Excuse
Equifax Hit With First Lawsuit by U.S. City Over Data Breach
The Hackers Who Broke Into Equifax Exploited a Flaw in Open-Source Server Software
Do You Want to Sue Equifax Over the Cyberbreach? Winning a Lawsuit May Not Be So Easy
Alice M. Porch, Esq., CIPP/US, C|EH, Security+
Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance in her law practice. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She currently serves as Chair of The Florida Bar Journal/News Editorial Board.
