And it's go, go, go for class-action lawsuits against Equifax after 148m personal records spilled in that mega-hack

Banks, folks can sue – but businesses have to show harm

A US judge has given the go-ahead for a set of consolidated lawsuits against credit agency Equifax regarding its 2017 mega-hack.

In a series of orders handed down in a Georgia federal district court on Monday, the evocatively named Judge Thomas Thrash Jr said that legal challenges from payment card issuers and ordinary citizens can proceed against Equifax. A class-action lawsuit brought by ten “small businesses” – which included corporations and limited liability companies – was denied, though. The small biz owners can join in with the consumers.

In effect, payment card issuers are going ahead as one set of lawsuits, and normal folk are bunched into another set, against Equifax. The credit agency had sought to dismiss the claims against it.

The lawsuits were all filed after the credit reference agency admitted in 2017 that some 148 million personal records – including a mix of names, social security numbers, taxpayer ID numbers, and credit card numbers and expiry dates – were stolen by database hackers.

In court documents, Thrash highlighted the “unprecedented” scale of the breach, the fact Equifax is responsible for information on more than 820 million individuals and 91 million businesses, and that it had bragged about its security credentials while having demonstrably poor basic maintenance techniques.

The small businesses claimed they had been harmed due to their owners’ personal data (rather than that of the businesses) being compromised, arguing that this “jeopardized” the creditworthiness of the owners and thus the firms. But the judge said they failed to show injury other than to the owners as individuals, that the alleged injuries “are too speculative,” and that a chain of events would need to occur for the small businesses to suffer actual damage.

Card floggers and consumers good to go

The financial institutions said that the data breach caused them harm because it impacted both their organisations and the mechanisms they use to authenticate customers. They argued they have spent extra time and money in the aftermath of the hack: responding to the compromise of the credit reporting system, and the leak of personal information they rely on for their business; on assessing the impact of the breach; and on mitigating what they say is a substantial risk of future fraudulent activity.


Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory


Some 23 financial houses also alleged they had issued payment cards that were compromised in the breach, and had spent time and money reissuing these payment cards and reimbursing customers.

The judge ruled that the card issuers can go ahead with their case on the grounds that the banks have incurred concrete costs as a result of the breach and in refunding fraudulent charges. But other financial associations cannot proceed, because they have alleged only "generic and abstract" injuries.

The consumer group, made up of 96 people and seeking to represent more, said they were suffering a “present, immediate, imminent, and continuing increased risk of harm” after their personal information was exposed.

The court ruled that Equifax did owe those plaintiffs a duty of care to safeguard personal information, and that the plaintiffs’ argument that the the biz knew of “severe deficiencies” in their systems but didn’t act was sufficient to allege bad faith on the part of Equifax. ®

Similar topics

Broader topics

Other stories you might like

  • Dog forgets all about risk of drowning in a marsh as soon as drone dangles a sausage

    It's not the wurst idea in the world

    Man's best friend, though far from the dumbest animal, isn't that smart either. And if there's one sure-fire way to get a dog moving, it's the promise of a snack.

    In another fine example of drones being used as a force for good, this week a dog was rescued from mudflats in Hampshire on the south coast of England because it realised that chasing a sausage dangling from a UAV would be a preferable outcome to drowning as the tide rose.

    Or rather the tantalising treat overrode any instinct the pet had to avoid the incoming water.

    Continue reading
  • Almost there: James Webb Space Telescope frees its mirrors and prepares for insertion

    Freed of launch restraints, mirror segments can waggle at will

    NASA scientists have deployed mirrors on the James Webb Space Telescope ahead of a critical thruster firing on Monday.

    With less than 50,000km to go until the spacecraft reaches its L2 orbit, the segments that make up the primary mirror of the James Webb Space Telescope (JWST) are ready for alignment. The team carefully moved all 132 actuators lurking on the back of the primary mirror segments and secondary mirror, driving the former 12.5mm away from the telescope structure.

    Continue reading
  • Arm rages against the insecure chip machine with new Morello architecture

    Prototypes now available for testing

    Arm has made available for testing prototypes of its Morello architecture, aimed at bringing features into the design of CPUs that provide greater robustness and make them resistant to certain attack vectors. If it performs as expected, it will likely become a fundamental part of future processor designs.

    The Morello programme involves Arm collaborating with the University of Cambridge and others in tech to develop a processor architecture that is intended to be fundamentally more secure. Morello prototype boards are now being released for testing by developers and security specialists, based on a prototype system-on-chip (SoC) that Arm has built.

    Arm said that the limited-edition evaluation boards are based on the Morello prototype architecture embedded into an Armv8.2-A processor. This is an adaptation of the architecture in the Arm Neoverse N1 design aimed at data centre workloads.

    Continue reading

Biting the hand that feeds IT © 1998–2022