Massachusetts AG sues Equifax over massive data breach

The suit alleges the credit reporting bureau violated state data protection and privacy laws by not installing appropriate safeguards.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

Sept. 19, 2017 3:39 p.m. PT

2 min read

Online Security — The suit says the personal information for nearly 3 million Massachusetts residents was potentially exposed by the hack.
Getty Images

Massachusetts Attorney General Maura Healey filed a lawsuit against Equifax on Tuesday, following a massive hack at the company that exposed sensitive financial information for nearly half the US population.

The complaint, filed in Suffolk Superior Court, alleges the credit reporting bureau violated Massachusetts' consumer protection and data privacy laws by not installing appropriate safeguards. The personal information for nearly 3 million Massachusetts residents was potentially exposed by the hack, according to the lawsuit.

"We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again," Healey said in a statement.

Meanwhile, Equifax's Canadian division said Tuesday the hack may also affect about 100,000 consumers in that country. The company said the information that may have been compromised included names, addresses, social insurance numbers and in some cases credit card numbers.

Massachusetts' lawsuit is the first official enforcement action in what is expected to be a massive legal onslaught against Equifax in the wake of a hack that exposed the personal financial data of as many as 143 million people in the US, including names, Social Security numbers, birthdates and addresses of customers. A handful of attorneys general for other states, including New York, Illinois and Connecticut, and two prominent senators, have asked the company for information about the hack.

The US Justice Department and Federal Trade Commission have opened investigations into the hack.

Some of the questions focus on nearly $1.8 million in stock sales made by Equifax executives, including the company's chief financial officer, three days after the breach was discovered and several weeks before it was made public.

Equifax said last week the hack was made possible by a months-old but apparently unpatched web server vulnerability. Patches were made available for the flaw in mid-March, but it's unclear why the flaw still existed on Equifax's servers in mid-May.

On Friday, the company said Chief Security Officer Susan Mauldin and Chief Information Officer David Webb would be "retiring," effective immediately.

Equifax declined to comment, citing its policy on pending litigation.

Solving for XX: The industry seeks to overcome outdated ideas about "women in tech."

It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.