Consumers around the country have started filing lawsuits against Equifax, the company that revealed last week that a cyberattack had exposed the personal information of about approximately 143 million people.
At least six lawsuits seeking class action status had been filed against the credit bureau by Monday. One of them — brought in the Southern District of New York by two women who assert that they now "live in constant fear" of identity theft — claims that Equifax violated federal credit reporting statutes and state consumer protection laws. Others were filed separately by consumers in Illinois, Nevada, Ohio, Oregon, and Georgia.
On Monday, Equifax was also targeted by two US senators — Orrin Hatch, the Utah Republican who chairs the Senate Finance Committee, and Ron Wyden, an Oregon Democrat — who asked the company to provide a timeline of the breach and its discovery, particularly in relation to the sale of Equifax stock by senior executives, including the chief financial officer.
Equifax did not immediately respond to a request for comment from BuzzFeed News.
The company said that it learned of the attack in July but did not publicly disclose any information about it until September. But three Equifax executives sold nearly $1.8 million in stock in the days after the discovery that customer information had been exposed, Bloomberg reported. The company denies that the executives had any "knowledge that an intrusion had occurred at the time."
A cyberattack of this scale could mean record amounts in damages. A complaint filed on behalf of two consumers in Portland, Oregon, last Thursday argued that consumers were owed roughly $70 billion in damages and accused Equifax of negligence in failing to protect consumer data and choosing to save on costs instead of investing in technical safeguards that could have stopped the attack.
"At this point we don’t know the extent of the damages," said Tom Zimmerman, a lawyer who represents the two New York consumers, Linda Tirelli and Brooke Merino. "Certainly the damages would be in the tens of millions of dollars under statutory damage provisions. We would also be seeking credit monitoring for everybody and whatever costs that would be associated with that."
Equifax reported last week that hackers had gained access to people's names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers from mid-May through July 2017. About 209,000 credit card numbers and documents with personal identifying information for approximately 182,000 US consumers were also accessed.
"People are terrified," Ben Meiselas, an attorney with Geragos & Geragos, which filed the Portland suit, told BuzzFeed News. "This myth that your data is held sacrosanct has all come tumbling down, and people don't know where to turn to protect their identities."
James McGonnigal, a Maryland resident who is a lead plaintiff in a suit filed against Equifax in Georgia on Thursday, asserts that four credit accounts and multiple credit inquiries were opened in his name recently without his authorization. He said the company was responsible for damages he suffered — or might suffer in the future — related to identity theft, unauthorized charges, and time spent closing bank accounts and freezing his credit.
It is unclear whether Equifax's insurance against cyberattacks will be able to cover the extent of the damages tied to the data exposure, which could reach $75 billion, said Meiselas. "This is a case going to touch on their corporate survival," he said.