Equifax Data Breach Class Action Lawsuit

In our digitally interconnected world, it’s almost impossible to keep your personal information offline. If you’ve ever applied for any type of loan, your entire credit history has been closely scrutinized and stored away on a private server somewhere.

Despite whatever precautions you might take, your electronically stored financial data will always be vulnerable to some degree. Unsavory characters lurking in the darker regions of cyberspace are constantly seeking to exploit weak spots in database security systems in order to steal this valuable information. Given this state of affairs, identity theft has become an increasingly common occurrence.

Disconcertingly, even multi-billion-dollar industry-leading companies are not immune to these kinds of online attacks. In 2017, the credit reporting agency Equifax fell victim to the largest data breach in history. Due to the company’s grossly inadequate cybersecurity systems and protocols, its internal servers were hacked into and relentlessly plundered of customers’ private data.

The perpetrator (or perpetrators) made off with the personal information of 147.9 million people —nearly 50% of the adult population of the United States. This scandal sparked a host of class action lawsuits against Equifax, collectively titled In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT.

Although the deadline for the Initial Claims Period has now passed, if you or someone you know has had their personal information stolen as a result of this data breach, you might still be entitled to some form of compensation. To see if you qualify to be part of this case, please fill out our form and we will connect you with a lawyer in your area.

What Is Equifax?

Established in 1899, Equifax is one of the world’s largest credit reporting agencies, with billions of dollars in annual revenue and millions of individual and corporate clients in America and overseas.

Headquartered in Atlanta, Georgia, and operating in two dozen countries, Equifax collects and analyzes credit and demographic data, which they then sell on to private businesses and creditors in the form of personal credit reports. They also sell fraud prevention and credit monitoring services directly to consumers.

Alongside Experian and TransUnion, Equifax is one of only three national credit bureaus in the United States. These companies all collect information concerning your credit history and financial situation, such as how many credit cards you have, how much money you owe to various creditors, the method/s by which you pay your bills, your reliability in making payments, etc.

If you are seeking to take out any kind of loan (whether it be for a house, car, or college tuition), your prospective creditor will purchase a personal credit report about you from one of these companies. As creditors will typically do business with all three of these companies interchangeably, it’s highly probable that your personal financial information will be shared between them.

There is, unfortunately, no way to opt-out of this monopoly-controlled data collection network. This means that even if you don’t have an account with Equifax and have never purchased any of their products or services, they could still have your personal data, including your credit history, social security number, and other sensitive information.

What Was the Equifax Data Breach?

In May of 2017, an unidentified hacker (or hackers) managed to discretely breach Equifax’s cybersecurity systems. They did so by exploiting a vulnerability in the open-source, third-party software Equifax was using for its Automated Consumer Interview System —the online portal through which it handles customer inquiries and credit card disputes.

From there, the hacker (or hackers) managed to infiltrate the internal servers on Equifax’s corporate network, where they were able to gather security credentials from various employees. Using these login details, the hacker then gained access to Equifax’s credit monitoring databases, which contained the personal information of millions of customers.

As the hacker had logged into these databases under the guise of being authorized users, no cybersecurity alerts were triggered. This enabled the hacker to remain undetected inside the system for a total of 76 days.

During this period, the hacker ran over 9000 scans of Equifax’s credit monitoring databases, and extracted the private information of approximately 147.9 million customers. This data included credit histories, social security numbers, birth dates, mailing addresses, and (for 2.4 million of these customers) partial driver’s license information.

To avoid detection, the data was collected incrementally. The hacker then copied it onto temporary digital archives and routed it through 34 servers in 20 different countries to prevent the theft from being traced.

Equifax finally detected the breach in late July, but did not notify their customers about the incident until early September. The company claimed that they had delayed the public announcement of this massive data theft in order to gauge the full extent of the intrusion and effectively consider their response.

How Was Equifax at Fault for the Data Breach?

Subsequent investigations of the data breach conducted by the federal government and private cybersecurity firms revealed numerous faults in Equifax’s cybersecurity practices.

Months prior to the breach, the Cybersecurity and Infrastructure Security Agency had issued a warning concerning the exact vulnerability which the hacker exploited in the open-source software used on Equifax’s website. Despite this, the company failed to patch their system until it was too late.

Equifax also failed to segment its database servers in order to deny access to other sections of their internal network if one area was breached. Furthermore, the company did not implement adequate intrusion detection mechanisms or encrypt the sensitive information contained on its servers —astonishingly, their employee network credentials and passwords, as well as customer data, was all stored in plain text format.

Was the Aftermath of the Equifax Data Breach?

Less than 24 hours after their public announcement regarding the data breach, Equifax was inundated with multiple class action lawsuits on behalf of clients who had had their personal information stolen. Over the next several months, they were also sued in small claims court by hundreds of litigants, many of whom managed to receive substantial financial compensation.

Calling it “the most humbling moment in our company’s 118-year history,” Equifax CEO Rick Smith resigned from his position. Another senior level executive was arrested and charged with insider trading by the Securities and Exchange Commission, as he had secretly sold his equity share in the company before the breach had been disclosed to the public.

Equifax continued to sully its reputation and public image through its blundering response to the data breach. In the immediate aftermath of the scandal, the company offered victims of the data breach a free identity theft monitoring service called TrustedID.

Ostensibly a goodwill gesture to those affected, in reality, the offer was merely a cynical ploy to limit financial liabilities to the company. By accepting TrustedID’s terms of service, customers forfeited their right to participate in any class action litigation against Equifax, forcing these claimants to pursue arbitration instead.

In September 2017, then director of the Consumer Financial Protection Bureau Richard Cordray initiated an investigation into the data breach on behalf of Equifax’s customers. However, two months later, Corday’s successor as director of the CFPB, Mick Mulvaney, effectively brought the investigation to a close.

Who Performed the Equifax Data Breach?

Bizarrely for a crime of this sort, the stolen personal information taken from the Equifax servers has not yet been used for any activities related to identity theft or fraud. Since late 2017, cybersecurity experts have been scouring black market websites on the deep web where this kind of information is sold and have yet to find any trace of the stolen data.

The United States government and private cybersecurity firms now hypothesize that this hacking operation was actually conducted by a foreign intelligence service, possibly for the purpose of obtaining compromising financial information on key personnel in industries and government agencies relevant to national security.

In February 2020, the federal Department of Justice indicted four members of the People’s Liberation Army of China, charging them with computer fraud, economic espionage, and wire fraud. The Chinese government, however, denies any involvement in the Equifax data breach.

If you are a victim of the Equifax data breach and suspect that agents of a foreign power are attempting to use your personal data to extort, blackmail, or otherwise manipulate you into compromising national security, you should immediately contact your nearest office of the Federal Bureau of Investigation.

Equifax Data Breach Settlement Agreement

In July 2019, Equifax agreed to a settlement with the Federal Trade Commission; the Consumer Financial Protection Bureau; forty-eight states; Washington, DC; and Puerto Rico; as well as 96 of the settlement class representatives named in the consolidated complaint against the company —collectively titled In re: Equifax Inc. Customer Data Security Breach Litigation, Case No. 1:17-md-2800-TWT.

As part of the agreement, Equifax established a $380,500,000 Consumer Restitution Fund to alleviate damages to affected customers. This money has been set aside to cover:

• Cash payments for out-of-pocket losses and time spent
• The purchase of credit monitoring services
• An Alternative Reimbursement Compensation fund for settlement class members who already have credit monitoring and/or identity protection coverage
• Subscription product reimbursement
• Restoration services (identity recovery, fraud protection, etc.) for all settlement class members, whether or not they filed a claim as part of the lawsuit
• Costs associated with notifying settlement class members, as well as administering the settlement itself
• Service awards to settlement class representatives
• Attorneys’ fees, costs, and expenses

It is worth noting that if the Consumer Restitution Fund is exhausted after all these expenses, Equifax will pay an additional $125,000,000 for out-of-pocket losses experienced by customers affected by the data breach.

You may have heard the erroneous early reports of a $125 cash payout per claimant. This was not, in fact, a guarantee, but a cap on prospective cash recovery only available to claimants who were already receiving credit monitoring services. Estimates of what the actual payout will be have still not been disclosed to the public, but the amount will depend on how many class members make a claim.

If you are curious to learn more, a full list of court documents pertaining to the Equifax data breach —including the settlement agreement and final judgment— can be found here. If perusing these legal papers raises any questions or concerns, we encourage you to reach out to our network of attorneys by filling out our form.

Equifax Data Breach Lawsuit Appeal

In September 2020, a lawyer acting on behalf of the objecting plaintiffs filed a proposed amicus brief with the 11^th US Circuit Court of Appeals to challenge the approval of Equifax’s settlement of claims related to the data breach. The lawyer alleges that:

• Equifax misled the public about the $125 payment in their initial compensation notice, resulting in a problematic claims process
• Millions of class members have valuable claims for statutory damages that greatly exceed the expected payout
• No effort was made by Class Counsel (aka., the settlement class representatives) or the District Court to ascertain the extent of statutory damages of absent class members
• Class Counsel’s decision to not pursue statutory damages will deter participation in future class action suits
• The majority of settlement class members actually disapprove of the agreement with Equifax

This appeal process is still ongoing. While it complicates the pending approval of the settlement agreement and will delay the legal proceedings in this case, if successful, this appeal could result in a substantially better compensatory outcome for the claimants involved.

If you are dissatisfied with the terms of the Equifax settlement agreement and wish to add your voice to the objecting plaintiffs, please get in touch with our legal team using the form below.

How Do I Know if I Qualify to Be Part of the Equifax Data Breach Lawsuit?

If you believe that your personal data has been stolen as a result of the Equifax data breach, you can easily check your eligibility online. However, be warned that there has been a proliferation of so-called “phishing” websites masquerading as the official Equifax eligibility verification portal. The only legitimate website to check your eligibility is the following:

https://eligibility.equifaxbreachsettlement.com/en/Eligibility

What Is the Deadline to Apply for a Claim?

Unfortunately, the deadline for the Initial Claims Period in the Equifax data breach lawsuit passed on January 22^nd, 2020. However, as long as any money remains in the Consumer Restitution Fund (or the $125,000,000 for additional out-of-pocket losses), there will be an Extended Claims Period until January 22^nd, 2024.

How Does the Equifax Data Breach Lawsuit Work?

Following the ultimate resolution of the appeal process and settlement agreement, payments will be made to claimants out of the Consumer Restitution Fund on a first-come-first-served basis. Those who registered their claims during the Initial Claims Period will be compensated first, followed by those who filed during the Extended Claims Period.

Regrettably, under the current settlement agreement, the majority of the money in the Consumer Restitution Fund that has been set aside for individual claimants is reserved for reimbursing customers who have suffered financial losses due to fraud or identity theft —as this was the main scenario anticipated following the breach.

However, the stolen data does not yet appear to have been used for such criminal purposes. Therefore, nearly all the claimants will be claiming for losses incurred during time spent taking preventive measures against fraud and identity theft. Extended Claims Period members are not eligible for compensation with regard to time spent freezing their credit reports or purchasing credit monitoring and identity protection services, however.

If, during the Initial Claims Period, there are more than $31 million in claims for time spent, then all payments will be reduced and distributed on a proportional basis. You can still claim for certain time spent losses during the Extended Claims Period up to a total cap (for both the Initial and Extended Claims Periods) of $38 million in claims.

If settlement funds still remain after paying out initial claims for out-of-pocket losses and time spent, credit monitoring services and Alternative Reimbursement Compensation, identity restoration services, administrative and notice costs, class representative service awards and attorney’s fees and expenses, then the monetary caps for time spent will be lifted, and payments will be increased proportionately.

How Much Can I Recover From the Equifax Data Breach Lawsuit?

Those who apply during the Extended Claims Period will not be compensated to the same extent as those who applied before the Initial Claims Period deadline. You will still be reimbursed if you have been the victim of fraud, identity theft, or the alleged misuse of your personal information if this crime is directly attributable to the data breach —although this crime must have happened to you in the time since the Initial Claims Period deadline of January 22^nd, 2020.

You are entitled to $25 an hour for up to 20 hours spent on actions taken in response to the data breach regarding the misuse of your stolen information. However, for Extended Claims Period class members, this excludes time spent placing or removing security freezes on your credit report and/or purchasing credit monitoring or identity protection services.

During the Extended Claims Period, you also cannot claim for free credit monitoring services or the Alternative Reimbursement Compensation available to those who have already purchased credit monitoring or identity protection services.

To receive this compensation, you must provide a full description of the actions taken and the time associated with these actions. You must also certify that this statement is truthful. To claim more than 10 hours, you must have documentation proving that your data was used for identity theft or other fraudulent activities. A bank statement, an Internal Revenue Service, or police report should suffice for this purpose.

If money was stolen from you through fraud or identity theft, you can be compensated up to $20,000 (including your claims for time spent). This amount covers the following:

• Unreimbursed costs or losses paid during the Extended Claims Period that are related to identity theft or fraud, such as falsified tax returns and the alleged misuse of your personal information
• Miscellaneous expenses associated with out of pocket losses, such as notary, fax, postage, copying, mileage, long-distance telephone charges, etc.
• Professional fees incurred in connection with addressing the theft of your identity, fraud, or falsified tax returns

Making sense of this convoluted claims process and filing the appropriate paperwork can be a difficult task. In order to avoid making any procedural mistakes (which can accidentally void your claim), we highly recommend that you seek legal assistance in this matter. Fill out our form, and we will put you in touch with a capable local attorney.

What Should I Do if I Have Been Affected by the Equifax Data Breach?

First and foremost, if you suspect that you are the victim of fraud or identity theft resulting from the 2017 Equifax data breach, you should immediately freeze your credit report.

If you are eligible to take part in this class action lawsuit against Equifax, reaching out to an attorney at a reputable law firm is perhaps the best decision you can make. Not only will they handle all the paperwork associated with making your claim, they will also ensure you receive the maximum amount of compensation to which you are rightfully entitled.

Once you make your claim as part of the class action settlement, you will be giving up your right to make any further legal claims related to the data breach once the settlement becomes effective. This means you will forfeit the right to file or continue to pursue any separate legal claims against Equifax or demand any further compensation for any harm or money lost due to the data breach.

While this choice may be perfectly appropriate for your situation, it would be best to confirm this with a legal expert before committing to this course of action.

If you choose to do nothing at all, once the court allows benefits to be distributed to claimants, you will still receive:

• Free help in recovering from identity theft for a period of 7 years
• Free identity restoration services if you discover that your personal information has been misused
• Free credit reports —up to 7 per year until 2026

However, depending on your situation, you could be entitled to far more than these complimentary credit reports and identity theft and recovery services. Fill out our form, and we will connect you with a local lawyer who can accurately assess the full extent of the compensation that you are owed by Equifax.

Do I Need Legal Counsel to Join the Equifax Data Breach Lawsuit?

While it is possible to file a claim against Equifax by yourself, we would not advise it. Given Equifax’s demonstrated pattern of duplicitous behavior in dealing with this data breach scandal, we strongly recommend getting an attorney on your side before making your claim.

By consulting with a lawyer first, you can rest assured that you will be receiving the most favorable settlement possible. You will also avoid potentially falling prey to any deceitful legal tactics from Equifax’s corporate lawyers.

Our excellent network of attorneys will advocate for your best interests in this case and negotiate a fair settlement with Equifax on your behalf. Fill out our form and we will put you in touch with a lawyer in your area.

How Long Will It Take to Resolve the Equifax Data Breach Lawsuit?

Payouts for claimants in the Initial Claims Period, followed by the Extended Claims Period, will commence once the settlement becomes effective. The court gave final approval to the class action agreement with Equifax on January 13^th, 2020.

However, some objectors have appealed the Court’s approval decision. The settlement, therefore, cannot be finalized until the appeal is resolved. This could substantially delay the final settlement, perhaps by up to a year or more due to the complexity of the case, the amount of money involved, and the enormous number of class settlement members.

To stay posted on the status of the Equifax data breach settlement and its subsequent appeal, you can subscribe to the Federal Trade Commission’s email updates service.

How Will I Receive My Compensation From the Equifax Data Breach Lawsuit?

Cash payments will be sent to the mailing address you provided when making your claim. You have the option to receive payment in the form of a check or on a pre-paid debit card.

For credit monitoring services, you will receive instructions and an activation code via email.

Free identity restoration services will be available in the future. However, Equifax has not yet announced how these will be provided to claimants.

How Long Will It Take to Receive the Funds After Resolving the Lawsuit?

Due to the huge number of claimants and the fact that the funds will be dispensed in the order in which the claims were received, it could take almost a year or more to receive any financial compensation from Equifax.

Final Thoughts

The 2017 Equifax data breach severely shook the American public’s trust in credit reporting agencies, and rightfully so. The whole sordid affair not only exposed the inadequacy of Equifax’s data security systems, it also revealed how vulnerable our private data is to the threat of fraud and identity theft.

While this lawsuit cannot restore your peace of mind on the issue of cybercrime, it will at least provide some compensation for Equifax’s negligent handling of your personal information.