Cyber Security Practitioner
Back to Contents

Volume: 3 Issue: 9
(September 2017)

equifax reveals suffered large-scale cyber attack us-based consumer credit reporting agency equifax made public 7 september 2017 suffered large-scale cyber

UK Canada US

Share This Page

Equifax reveals it has suffered large-scale cyber attack

US-based consumer credit reporting agency Equifax made public on 7 September 2017 that it has suffered a large-scale cyber incident, which has resulted in the data of approximately 143 million Americans, and possibly UK and Canadian citizens, being compromised. Equifax is currently investigating the breach and reported on its website that it believes the unauthorised access to its data occurred from mid-May 2017 through to when Equifax discovered the breach on 29 July, and that “the company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

Equifax revealed the range of compromised data to include names, Social Security numbers, and credit card numbers. At the time of writing Equifax had been hit with at least 23 proposed class action lawsuits across the US. The focus of the complaints include Equifax’s alleged negligence over cyber security, the time Equifax took to notify the public after the incident occurred, and a ‘forced arbitration’ clause in the T&Cs of its TrustedID Premier program, which Equifax offered to its customers on a complimentary basis for one year ‘to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.’ According to a complaint filed on 9 September 2017 in New York by Linda Tirelli and Brooke Merino, the arbitration clause ‘is another avenue to deprive the Plaintiffs and Sub-Class Members of the ability to avail themselves of the remedies available under the FCRA [Fair Credit Reporting Act] to prevent further dissemination of their private information […] under the guise of an effort to mitigate damages and to provide some assistance to the victims of their data breach.’ Since the filing of such complaints, on 11 September 2017 Equifax confirmed on that it ‘will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.’

US senator Richard Blumenthal, in a letter to Equifax Chief Executive Richard Smith, described the cyber attack that has compromised the personal data of about half of the US adult population as “a historic data disaster.” The cyber incident may signal regulators to look into enacting new legislation, according to White House Press Secretary, Sarah Huckabee Sanders, at a press conference on 11 September 2017. “We have to explore all the best ways to make sure that Americans are protected in that sense,” said Sanders. As it stands, there are no requirements under law for consent to be provided by American citizens for detailed credit information to be collected about them by consumer credit reporting companies. Senator Brian Schatz has proposed the reintroduction of the draft ‘Stop Errors in Credit Use and Reporting Act,’ which he claims would empower citizens in resolving errors and misuse of their credit report data. “Because these credit agencies operate in the dark, they are allowed to be terribly unfair and unaccountable,” stated Schatz in a post on his official website. “Millions of Americans have bad credit because of mistakes from credit agencies, and it can ruin lives, stopping people from getting a job or owning a home or car. While I look forward to hearing Equifax management testify under oath before Congress very soon, this bill is another way we can protect consumers.”

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed