The scenario that personal finance and credit experts feared most about the heist of consumer data from Equifax may already be underway: Criminals are using the stolen information to apply for mortgages, credit cards and student loans, and tapping into bank debit accounts, filing insurance claims and racking up substantial debts, according to a major new class-action suit.
The suit pulls together dozens of individual complaints from consumers in all 50 states plus the District and suggests that cybercriminals aren't wasting time using the Social Security numbers, credit card accounts, driver's license numbers and other sensitive personal information they siphoned out of the credit bureau's reputedly secure databases on 145.5 million Americans.
Filed in federal district court in Equifax's home territory of Atlanta, the suit is intended to create a single, giant national class action against the company. It alleges violations of federal and state laws and cites claims by more than 50 individual plaintiffs whose information was hacked that significant financial damage already is occurring. A few examples:
●Bridgette Craney of Virginia says that since the Equifax breach, she has experienced "multiple fraudulent charges" on five of her credit card accounts and had two fraudulent store credit accounts opened in her name.
●Robert Hunt of Georgia claims that multiple "unauthorized mortgages" have been applied for using his stolen information.
●Jennifer Wise of Vermont says she has been getting dunned by collection agencies for "loans that she never opened."
●Manuel Lucero of Mississippi says criminals have applied for student loans using his identity; Kyoko Yamamoto of New York claims "at least two" unauthorized charges have been made using her debit card; and Jasmine Guess of Louisiana says fraudulent insurance claims have been made using her stolen identity information.
The suit, Allen et al v. Equifax, charges that the company "failed spectacularly" in its legal responsibilities to protect consumers' confidential data. It also alleges that the company failed to take steps to upgrade its security protocols, such as installing a remedial patch provided by a software maker, and then delayed informing consumers about the breach, thereby preventing them from taking steps to minimize the damage.
Through Equifax's negligence, according to the suit, cybercriminals gained access to data that now "permits thieves to create fake identities, fraudulently obtain loans, swipe tax refunds and destroy" consumers' creditworthiness. Among the most vulnerable potential and actual victims: home buyers and mortgage applicants, who "tend to have significant information on file with credit bureaus" and as a result are "especially at risk" for ID theft after the Equifax data breach.
An Equifax representative had no comment on the litigation. Lawyers representing the individual plaintiffs also declined to comment. The potential size of the class represented by the suit is enormous — "all residents of the United States whose personal information was compromised as a result of the data breach announced by Equifax." The allegations include violations of the federal Fair Credit Reporting Act, the Federal Trade Commission Act and state consumer protection laws as well as rules regarding deceptive practices and data breaches, all of which are recounted in the 323-page filing.
The suit is particularly harsh in its criticism of Equifax's alleged failures to heed red flags indicating that its systems were not secure. In April 2017, according to the suit, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months. Credit analytics firm FICO gave Equifax low marks on data protection: an enterprise security score around 550 on a scale of 300 to 850. In 2014, Equifax "left private encryption keys on its server," potentially allowing hackers to decrypt sensitive data, according to the suit.
How might this suit affect you? If you own a home, have a mortgage or received information from Equifax that your files were accessed, you are probably part of the class. You needn't do anything to join. Keep in mind, though: The case may sound like a slam-dunk, but it might not be. Lawyers will need to demonstrate a link between plaintiffs' claims of identity theft and the Equifax breach, which may be challenging to prove.
In the meantime, remember that it's not too late to get defensive. If you're like the vast majority of consumers who have not yet placed freezes on their files at Equifax, Experian, TransUnion and Innovis, consider doing so now. For information on how to proceed, go to consumer.ftc.gov/articles/0497-credit-freeze-faqs.
Ken Harney's email address is firstname.lastname@example.org.