The massive data breach exposed the credit information of 150 million Americans, including almost 4 million in Indiana.
(Indianapolis, Ind.) – The State of Indiana wants Equifax to pay for exposing the information on nearly four million people in the state.
The state filed a lawsuit Monday over the 2017 data breach at Equifax. The breach at one of the world’s largest credit reporting bureaus resulted in almost 150 million people across the country having their information exposed, including 3.9 million Hoosiers.
“Data breaches such as this one cause real harm to real people,” Indiana Attorney General Curtis Hill said. “Hoosiers trust us to work hard every day to ensure their safety and security. This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities.”
The lawsuit seeks civil penalties, consumer restitution, costs and injunctive relief.
The U.S. House of Representatives Committee on Oversight and Government Reform investigation concluded the breach from May 13 through July 30, 2017 was “entirely preventable.”
Indiana's lawsuit says Equifax prioritized profits over data security. During the time the break took place, according to the AG, the company also pursued aggressive cost-cutting measures that included the outsourcing of some of the company’s mission-critical systems. That outsourcing led to understaffing of vital functions and treated patching and vulnerability remediation as unimportant.
Also, the company is accused of violating Payment Card Industry standards, including storing some consumer payment card information in clear text.
Hill’s office said that Equifax knew PCI certification required all components of the payment card processing system and connected network to comply with the PCI standards. To date, no entity fully compliant with PCI Data Security Standard appears to have been breached.
“Despite its knowledge, Equifax made a conscious choice to break the rules. It continues to break the rules even today, continuing to expose consumers to risks without warning. Equifax continues to accept and process payment cards in its U.S. operations, despite the fact that as of April 29 its full U.S. operations still had not been certified as compliant, as required by the PCI rules,” according to the Office of the Indiana Attorney General.