Madison, Wis.-based Summit Credit Union has filed a class-action lawsuit against Equifax on behalf of credit unions for damages related to the credit-reporting agency’s giant data breach disclosed earlier this month. The suit claims Equifax failed to secure its website, ignored warnings from security experts and took too long to disclose the breach, according to a complaint filed in U.S. District Court.
According to Summit CU, which has $2.8 billion in assets and about 167,000 members, the breach has left credit unions to shoulder the costs of cancelling and reissuing member cards, as well as the expense of lost business and fraud activity on member accounts.
Credit unions may also face new regulatory compliance costs as regulators request additional reports and plans in an effort to protect consumers, Summit alleged. Financial institutions will have to bear the burden associated with fraudulent new accounts created by identity thieves, too, it said.
“With the complete data sets that hackers have now acquired from the Equifax breach, criminals can use these stolen identities or create a new identity from scratch. They can then use this identity to apply for new lines of credit, loans, or other accounts with financial institutions,” Summit claimed. “With a breach of this magnitude, there is virtually no limit to the amount of fraudulent account openings financial institutions may face.”
The Equifax breach, announced September 7, affects 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver’s license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers.
Outdated software may have contributed to the breach, Summit claimed.
“From mid-May to late July of 2017, hackers exploited a vulnerability in Equifax’s U.S. web server software to illegally gain access to certain consumer files. Investigators believe that the point of entry may have been a software application called Apache Struts,” Summit alleged in its complaint. “The potential vulnerability of the Apache Strut software was no secret. Security researchers with Cisco Systems Inc. warned in March 2017 that a flaw in the Apache Struts software was being exploited in a ‘high number’ of cyberattacks. Despite this warning, Equifax continued to use the software. And Equifax was reportedly using an outdated version of Apache Struts at the time of the data breach.”
In a press release on September 15, Equifax said it believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
“With respect to the company's security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements,” it said.
There are more than 100 class members in Summit’s class-action suit, and the damages exceed $5 million, according to the filing.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
