Two more credit unions are suing Equifax for damages related to the credit-reporting agency's recent data breach, court records show.
Colorado Springs, Colorado-based Aventa Credit Union and New Castle, Pennsylvania-based First Choice Federal Credit Union, along with the New Orleans-based Bank of Louisiana, filed the class-action complaint against Equifax in U.S. District Court on September 22. Similar to a separate class-action suit filed by Summit Credit Union on September 11, the three financial institutions allege that Equifax failed to secure its website, ignored warnings from security experts and took too long to disclose the breach.
Aventa Credit Union has $175 million in assets and about 23,700 members. First Choice FCU has $44 million in assets and 6,700 members. The financial institutions claimed they will incur “significant damages” related to card reissue, fraud and fraud prevention.
In their complaint, the two credit unions and Bank of Louisiana also highlighted growing concerns about whether hackers will target them next.
“The hackers were also able to access Equifax's back-end servers, which are connected to financial institutions and enable the parties to share information digitally. Such an intrusion has left credit issuers, including plaintiffs, woefully exposed to the threat of hackers piggybacking off of Equifax's lax security and entering its partners' systems,” the complaint said.
The Equifax breach, announced September 7, affects 143 million U.S. consumers. Compromised information primarily includes names, Social Security numbers, birth dates, addresses and in some cases driver's license numbers. The breach also jeopardized credit card numbers for about 209,000 people, as well as dispute documents for about 182,000 consumers.
The credit unions claimed that outdated software that supports the online dispute process may have contributed to the breach.
“The potential vulnerability of the Apache Strut software was no secret. Numerous entities identified and issued public warnings in March 2017 regarding the vulnerability, including The Apache Foundation, the U.S. Department of Commerce's National Institute of Standards and Technology, and the U.S. Computer Emergency Readiness Team,” the complaint alleged.
The Apache Foundation made patches and workarounds available to protect against the vulnerability, but Equifax didn't apply them for two and a half months, it said.
“The dire consequences of the increased risk of identity theft caused by Equifax's failures cannot be overemphasized,” the complaint added. “With the information used to establish a legal identity now available to identity thieves for over 143 million consumers, lenders are at greatly increased risk of loan fraud and payment card transaction fraud, and are left to devise and implement, and pay for, their own prophylactic measures to reduce such risk.”
In a press release on September 15, Equifax said it believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.
“With respect to the company's security posture, Equifax has taken short-term remediation steps, and Equifax continues to implement and accelerate long-term security improvements,” it said.
“Long-term security” may be the operative phrase for credit unions, according to the suit.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.