On Monday, Indiana Attorney General Curtis Hill filed a lawsuit against Equifax seeking civil penalties, consumer restitution, costs and injunctive relief following the finance company’s massive 2017 data breach that compromised the sensitive personal information of 147.9 million Americans, including 3.9 million Hoosiers.
“Data breaches such as this one cause real harm to real people,” Hill said. “Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities.”
The data breach at Equifax, one of the world’s largest credit reporting bureaus, occurred between May 13, 2017 and July 30, 2017. The U.S. House of Representatives Committee on Oversight and Government Reform investigation concluded the breach was “entirely preventable.”
The congressional committee blamed the breach in large part on an aggressive growth strategy pursued by former Equifax CEO Richard Smith. Under Smith’s leadership, the committee concluded, Equifax acquired “multiple companies, information technology (IT) systems, and data … [that] brought increasing complexity to Equifax’s IT systems, and expanded data security risks.”
During this time, the company also pursued aggressive cost-cutting measures that included the outsourcing of some of the company’s mission-critical systems. To save expenses, the outsourcing contracts understaffed vital functions, and the service level agreements contained in the contracts focused entirely on revenue enhancing metrics such as maintaining uptime. These agreements either ignored patching and vulnerability remediation or treated those responsibilities as relatively unimportant.
At every logical opportunity to improve security measures, Equifax’s leaders instead chose increasing revenue over protecting the safety of consumers’ sensitive personal information.
Among the company’s most glaring improprieties was its failure to implement and maintain detailed Payment Card Industry (“PCI”) standards. The system that was breached contained a payment card processing component. From at least 2006, Equifax knew the system contained payment card processing. From at least 2013, Equifax knew the system was storing payment card information in clear text, which was a known violation of the rules.
Equifax knew PCI certification required all components of the payment card processing system and connected network to comply with the PCI standards. To date, no entity fully compliant with PCI Data Security Standard appears to have been breached. Despite its knowledge, Equifax made a conscious choice to break the rules. It continues to break the rules even today, continuing to expose consumers to risks without warning. Equifax continues to accept and process payment cards in its U.S. operations, despite the fact that as of April 29 its full U.S. operations still had not been certified as compliant, as required by the PCI rules.