The Journal Gazette
Monday, May 06, 2019 4:10 pm

Indiana attorney general sues Equifax

NIKI KELLY | The Journal Gazette

INDIANAPOLIS – Attorney General Curtis Hill filed suit today against one of the nation's leading credit reporting bureaus for a 2017 data breach.

Indiana is the third state to take legal action against Equifax. Hill is seeking an injunction to require the company to fix cybersecurity flaws as well as pay customers back for any negative impact.

"Data breaches such as this one cause real harm to real people," he said. "Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities."

Almost 148 million Americans had their data breached, including 3.8 million Hoosiers.

An Equifax spokesman said the company is reviewing the complaint filed and can't comment further on pending litigation. 

Hill said litigation is a last resort but wouldn't comment further on earlier negotiations with the company.

He alleges the company was aware of "gaping holes" in their system and the breach was "entirely preventable."

Hill said some Hoosiers chose to pay for their own credit monitoring after the breach and he would be seeking reimbursement for those costs.

He said data breaches occur often but litigation is not always needed. Key factors are what a company has done to prevent a breach and what they did after to deal with its consequences.

The data breach at Equifax occurred between May 13, 2017 and July 30, 2017. A congressional committee blamed the breach in large part on an aggressive growth strategy pursued by former Equifax CEO Richard Smith, a news release said.

During this time, the company also pursued aggressive cost-cutting measures that included the outsourcing of some of the company’s mission-critical systems. To save expenses, the outsourcing contracts understaffed vital functions and either ignored patching and vulnerability remediation or treated those responsibilities as relatively unimportant, according to Hill.

Subscribe to our newsletters

* indicates required