Lawsuits Against Equifax Pile Up. But Where Are the Handcuffs?

Short seller Carson Block victimized by Equifax hack, Sues for $500,000

Carson Block, the short-seller who exposed Sino-Forest and Huishan Dairy and made a ton of money doing so, missed out on the Equifax disaster. Not having divined what would happen, his firm Muddy Waters failed short Equifax shares before they collapsed 35% in six trading days.

But he didn’t miss out on the hack: He was one of the 143 million Americans whose data, including Social Security numbers, got stolen in the Equifax hack. And on Friday, he sued Equifax.

The lawsuit, reported by the Financial Times on Sunday, accuses Equifax of negligence in its failure to protect his personal identifying information from criminals, and of not disclosing the hack in a timely manner. He is seeking damages of at least $500,000 for the “stress, nuisance and annoyance” of having to deal with the consequences of the hack.

The suit notes that Equifax’s business revolves around being a “secure storehouse” for data and providing a clear financial profile of consumers that lenders and other businesses can rely on.

At a minimum, Equifax should have but didn’t patch a vulnerability in Apache Struts, an open-source framework for developing web applications in Java. The Apache Foundation disseminated a patch on March 6 but Equifax didn’t implement the update. ArsTechnica explains the omission:

Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up.

The hack occurred after mid-May. On Friday, Equifax said that it had finally patched the vulnerability on July 30, nearly five months after the update had become available, and a day after it had figured out that it had been hacked. This must have been one of the most glorious oh-shit moments in corporate history.

Block’s lawsuit names 11 senior executives at Equifax, including CEO Richard Smith. Two of the named people, chief information security officer Susan Mauldin and chief information officer David Webb, were sacked on Friday “effective immediately.”

The Financial Times:

According to the suit, Equifax should have known that its defenses were fragile, following two big breaches in 2016 alone. In one of those, in May, 430,000 names and other vital pieces of information were lost as a result of the company using “alarmingly poor” security for the generation of PINs from the last four digits of a social-security number and the four-digit year of birth.

Block isn’t the first one to sue. Within hours of the disclosure of the hack on September 7, law firm Olsen Daines PC along with class-action specialist Geragos & Geragos, filed a proposed class-action lawsuit in federal court in Portland, OR, against Equifax seeking $70 billion in damages nationally. It alleged that Equifax was negligent in failing to protect the data of the plaintiffs Mary McHill and Brook Reinhard. The complaint:

“In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard’s information from unauthorized access by hackers.”

“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”

Earnings per share and financial engineering were clearly more important than investing in the security of consumer data to protect the core of its business. Equifax blew nearly $500 million on share repurchases in 2014 and 2015, though it didn’t repurchase any shares in 2016, according to its annual report. As of December 31, 2016, it was approved for additional share repurchases of $667 million. It might have used some of that authorization over the past few trading days to buy its own shares to keep them from plunging further.

Manipulating up the stock price via share repurchases seemed to be much more promising for executive bonuses than investing in the security of its IT system.

By September 11, the USA Today counted 23 proposed class-action lawsuits that had been filed against Equifax around the country. Plaintiffs’ lawyers are licking their chops. They have two angles of attack: shareholder lawsuits and consumer lawsuits. And there will be innumerable lawsuits from individuals, from small-claims suits to big ones like Carson Block’s. Equifax will blow a fortune on legal costs and settlements for years to come — on top of the fortune it will also have to spend to beef up its IT system.

This is the result of short-termism focused on earnings per share and share buybacks, while not investing to protect the core of its business. This is a decision the CEO and the board made. Heads should roll in both places. And it wouldn’t hurt to see a fearless prosecutor find a reason to lead some of the top folks out the door in handcuffs.

Third largest US bank reaches out to its customers to recommend a credit freeze. A mass Credit Freeze would have a huge impact. Read… Holy Moly, Now Wells Fargo Recommends a Credit Freeze in Equifax Hack

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  57 comments for “Lawsuits Against Equifax Pile Up. But Where Are the Handcuffs?

  1. Jeff Lill says:

    Wolf: I’m so pleased that you’re still on this story (we exchanged some email when this first came out).

    In don’t know why, but this really makes me angry. I’m normally a calm reasonable guy, but frankly, I want to see some credit reporting agency blood.

    Where is Trump and the Republicans on this??? (I voted for Trump). Elizabeth Warren and the democrats have already submitted some bills. Not a peep from the republicans that I can see. They’ll be in the wrong side of this if they don’t act.

    I have a hard time saying this, but I find myself fantasizing about what Warren is going to do to these CRP agency CEOs during the senate hearings.

    I hope that Trump and the republicans look down soon and find their balls, like Elizabeth already has.

    • Rhodium says:

      The Democrats, despite their many flaws, are the only party you’ll ever see the impetus for reform out of. The Republicans have shown themselves disinterested in any of these sorts of issues. Change will come from the left, but good change will only come if the left eschews the corrupt and unintelligent from their party. I’m not sure if I can set aside my cynicism long enough to believe it will happen but heck I’d vote for Warren 2020.

      • TJ Martin says:

        Though in essence despite being a staunch Independent we’re in agreement … but … I have yet to of heard word one from the DNC … or even Uncle Bernie on this one either . Which … may unfortunately be putting a sharp point on a reality we all need to come to grips with . When push comes to shove and money’s on the table neither side gives a rats posterior when it come to the their constituents or the common man .

        As for me ? I’m hoping against all hope Bloomberg puts his data aside coming to his senses and runs as an Independent in 2020 … assuming we actually make it to 2020 with some semblance of Democracy intact

      • alex in san jose AKA digital Detroit says:

        Rhodium – This is why I’ve joined the DSA. Think of them as “The Bernie Sanders people” they’re not a party so joining doesn’t change your party affiliation, but well, just read about ’em. I hurriedly sent off my $40 when I read that they want to get their numbers up where the Tea Party was in 2010; 10,000 members. I believe the DSA is up around 7,000 but the membership is growing fast.

        I’m going to tick a few die-hards off here but I really think Hillary’s a decent person and that’s why there was so much effort put into defaming her.

        I really hope the Repubs go the way of the Whigs, and the Democrats do a real house-cleaning.

      • Chris R says:

        Change could come from a Left if the US had a real one. The sorry neoliberal war-happy corporate stooges that comprise Team D, alas, are not that.

        • WorldBLee says:

          Agreed, and Team D also does its best to destroy/dilute/ignore any actual left forces. They’re actually more afraid of truly democratic forces more than they are of Republicans, who they’re happy to work with (unless it’s Trump, even though he stands for the same things; he makes it so obvious rather than concealing the collusion with Wall Street/Pentagon/Corporations/Deep State as Obama did so well).

    • cdr says:

      Jeff, as sad as I am to say this, there’s no such crime as criminally stupid. Lot of people belong in jail or worse because of the problems they cause by their immense thickness, hubris, carelessness, or charismatic halfwittedness. Being stupid is not a crime even though it should be. I know many who deserve a good flog (also not legal for some reasons I don’t comprehend.) Actually, I believe flogging should be applied towards criminally stupid people as jail is probably too complicated for them to understand.

      • Wilbur58 says:


        You’re one of my favorite commenters here. But please don’t assume a lack of crime when there is some.

        The subprime meltdown included loads of liars loans which are a felony. Most major banks should have seen people go to jail.

        And with Equifax, the insider trading is absurd. People should go to jail. When they don’t, in both scenarios, it just proves what a lawless society we’re in for the .1%.

      • kato says:

        “Criminal Negligence  ‎is a ‘misfeasance or ‘nonfeasance’‎, where the fault lies in the failure to foresee and so allow otherwise avoidable dangers to manifest.”‎

        • cdr says:

          winbur58, kato:

          In a perfect world, yes, you are correct. But in this world, that is Pollyanna thinking. Why aren’t any globalists in jail? Flogging the criminally stupid should be commonplace and legal.

        • kato says:

          I wonder which is the worse case…‎

          * The incompetence in our financial systems.‎
          * The growing lack of confidence in our legal systems.


      • George McDuffee says:

        RE: Lawsuits galore. But where are the handcuffs?
        Technology has again outrun the legal and regulatory systems.

        Commercial use of the internet has exploded in the last 20 years, and we should expect even more such debacles in the near future from the “new” disruptive technologies such as artificial intelligence/big data [for financial/commodity/fx, self-driving vehicles], genetic engineering, nano technology, etc.

        These debacles in general will not be due to some “Dr. Evil” mastermind, but will be the result of what I call “The Sorcerer’s Apprentice Effect,” whereby “forces” are summoned which “they” neither understand or control, and which the large majority of the population are totally unaware.

        Negligence [due to either gross stupidity or intentional omission] has long been subject to criminal law, civil actions and regulatory oversight [overkill?] in the physical world, for example exploding steam boilers on paddle wheel river boats and air planes where the wings fall off.

        IMNSHO we desperately need legislation creating a new felony of “Careless and reckless operation of a business” to apply personally and individually to the officers and directors of a corporation which causes general societal damage.

        This can include bankruptcies, for example General Motors and Lehman, as virtual damage such as example of Equifax. The penalties could range from 30 days in jail and partial asset stripping [25-50%?] of net assets, to significant prison time [5 years/no parole] and total asset forfeiture. Without such a general managerial liability statute we will continue to play “whack-a-mole” with the digital/virtual equivalent of exploding steam boilers and novel technologies such as radium dial watches.

    • Carlada says:

      Oh, pleeeze. Warren was a Republican before she was a Democrat; don’t think too highly of her words. What has she produced? Rabid support of a criminal. I used to think highly of Warren. She’s like all the rest.

    • Dave says:

      Its Even Worse…. “More Equifax Lies? Company Originally Hacked Five Months Earlier Than It Disclosed”

      When Equifax first disclosed the shocking news on September 7 that its servers and some 143 million private account had been hacked, leaking everything from names, to addresses, to social security numbers, it stated in its press release that it had “learned of the incident on July 29, 2017” adding that “at which point it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review: based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.”

      As we commented then, it “oddly enough took shareholders and over a third of America, more than a month longer to learn that all their personal data may have been compromised.”

      And now, according to Bloomberg, it appears the company had lied again as it wasn’t “only one month” but nearly six that the company was aware that its systems had been violated without acting on the information::


      Let’s see if anyone goes to jail? This stock could be a great buy when the dust settles. Why? People have short memories!

  2. d says:

    Lawsuits galore. But where are the handcuffs?

    Horse is gone baby.

    Handcuffs may come after the private lawsuits have laid out all the evidence for a junior prosecutor to pick up.

    Much more importantly. What TF happened to the “Protect and Serve” element, in regulation and regulator activity ?????????????????????????????????????????????

    Should not data security, and systems Security, be covered by regulators of industries, holding so much critical population Data.
    Perhaps Lizze will be asking such questions.

    But again horse is gone, for over 150 million + Americans. FOR LIFE.

    • fozzie says:

      “Lawsuits galore. But where are the handcuffs?”

      Nobody at Equifax is going to jail because people’s info was stolen. It’s not illegal to be lazy about keeping your software infrastructure up to date. At most, the three execs who sold right before the leak may be convicted.

    • Kent says:

      “Much more importantly. What TF happened to the “Protect and Serve” element, in regulation and regulator activity ?????????????????????????????????????????????”

      Remember, government regulation is a bad thing. Budgets for regulatory agencies have been slashed for decades. The guys put in charge have often been from the regulated industries themselves. This is what we’ve been voting for.

      • Bobby Dale says:

        It seems over the past 20 years government regulation has become more of a shakedown of the regulated than protection of the public.
        Regulators make big noise about various offenses then accept a payout from the offenders who use stockholders money to pay. Other peoples money.
        I do not foresee much jail time here, except possibly the aforementioned inside traders, but clawback from all executives on the board and administration for the costs incurred would seem to be fair.

      • d says:

        “This is what we’ve been voting for.”

        This is what you have been voting for.

        In our country those agencies cant even operate.

        They defiantly would not be able to do what they do in our country, as its against the law here.

    • curious cat says:

      “Much more importantly. What TF happened to the “Protect and Serve” element, in regulation and regulator activity ?”

      In any bureaucracy, the people devoted to the benefit of the bureaucracy itself always get in control, and those dedicated to the goals the bureaucracy is supposed to accomplish have less and less influence, and sometimes are eliminated entirely…. In any bureaucratic organization there will be two kinds of people: those who work to further the actual goals of the organization, and those who work for the organization itself… The Iron Law states that in all cases, the second type of person will always gain control of the organization, and will always write the rules under which the organization functions. [Pournelle’s law of Bureaucracy]

      Thoughts from the Frontline
      The Future of the Global Economy
      SEPTEMBER 10, 2017

      • d says:

        If knew all that before i finished Primary/Elementary school.

        In America it seems to be “Protect and Serve” the Corporates.

        Which is not how it should be.

    • polecat says:

      Well, we will be NOT protected … but instead be served a frozen dish of rotting fish head soup !

  3. Rates says:

    I am actually prepared to go long on this one. Am I crazy? No, I smell that “American Capitalist” Warren Buffet making a “strategic” investment soon. Off course, his deal will be one where he can not lose, but this smells right up his alley or should I say “wide moat”.

    • nick kelly says:

      I suspected Home Capital was a good buy before Buffet acted and I predict he won’t touch this one. What asset does Efax have apart from its data base which is now worthless (actually negative because every file has cause to sue)
      Check size of lawsuit: 70 BILLION.
      The value of Home Capital’s mortgages wasn’t affected by the run on its CDs, because the value of the properties wasn’t affected.

      Apart from its compromised data what does have Efax have to offer?
      It’s not tech or ‘goodwill’.

    • cdr says:

      I’ll take the other side of that.

      Either nothing will happen (most probable) except an Elizabeth Warren public outrage exhibition (which will make the reporting agencies look sympathetic in contrast) or people will discover credit freezes are a good thing and make them easy to work with for all reputable credit extenders. The remaining three major reporting agencies will go away and/or be replaced by a library function that is for lookup only, not data sales to credit merchants. Credit reporting agencies are a necessary evil. It’s debatable that four are needed and what they do today is necessary.

  4. fozzie says:

    Add to the bad press and try a second time to make money shorting EFXg? I remember people saying BP would go to zero when Macondo blew.

  5. raxadian says:

    If millions of people join in suing the company, will it go bankrupt?

    • Arizona Slim says:

      Pretty please?

      And, in my opinion, a credit freeze should be your default state. If you need to unfreeze it, you should be able to do so at no charge.

    • Ethan in nova says:

      Just terminate the Equidax brand, spin up a new company cfer the assetts.

  6. MC says:

    When Ed Snowden blew the whistle a few years back, many big and small corporations started running around with their hair on fire.
    What got them worried sick was not so much government spying, but the inbuilt weaknesses in firmware and software the NSA was exploiting and which could be exploited by anybody with the technical skills to do so.
    Like it had already happened time and time again.
    Ironically among the big corporations affected was Lockheed-Martin, probably the largest contractor to the US government, which was hit hard by hackers operating out of Eastern Asia. A bit of poetic justice.

    Anyway, Ed Snowden spurred many many companies to take a good look at their digital security and opening their wallets to beef it up.
    As it often happens, many companies started to relapse in their old mistakes, which have often a Keystone Kops nature to it. Failure to patch known vulnerable systems (like it happened at Equifax) has become once again a major concern, as is the use of USB devices not tightly screened for bugs. Remember: that is how STUXNET got into the Nathanz research facility, and according to Snowden and other whistleblowers the technology has only got far more sophisticated since.

    To this it must be added law codes throughout the world are growing at an ever accelerating pace but more often than not they still seem to consider digital security a thing for spooks and nerds, a niche sector.
    Outside periodic scandals, politicians and bureaucrats seem to care little about digital security. And that’s probablly for the best.

    As I was once told, the guy or gal who want to legislate your Internet has serious issues checking the email and his/her social media accounts are maintained by an unpaid intern fresh off the Uni.

    As Otto Von Bismarck once said, laws are a whole lot like sausages… it’s better not to know how they were made.

  7. Gershon says:

    With Wall Street’s capture of both political parties as well as regulators, enforcers, and the judiciary, you can rest assured that no CEOs or senior officers of corporations need ever fear perp walks or prison time for criminal negligence or malfeasance, no matter what the consequences to the proles. Holder, Lynch, and now Sessions were installed to ensure members of our financial and political elites could break the law with impunity. Rules are for the little people.

  8. walter map says:

    Except for the effect on Equifax stock, Mr. Market is utterly unconcerned, despite the threat presented by the Equifax breach and by data insecurity generally. That just seems odd to me.

    • JoeBob says:

      Since “Mr. Market” is really only the Fed anyway–and they have to keep buying equities to keep the illusion of this ever-increasing market going–the two things have ceased to be related.

  9. marco says:

    Handcuffs ? For anyone white and rich ? Surely you’re intoxicated .

    When you have corporate doormat Attorney Generals that lie down at the door of their office so the criminals can wipe their feet on their back (think Eric Holder) as they leave ?

    When your President gives corporate donors “Presidential Cufflinks” to wear, instead of handcuffs and orange jumpsuits ?

    • Bobby Dale says:

      What does skin color have to do with this situation? The color that matters is green.

  10. Kent says:

    This is the same as the gun slogan “guns don’t kill people, people kill people”. Which is true. But it also assigns zero liability to the person who sold the psychopath the gun in the first place.

    In this instance, Equifax isn’t going to take your identity and do bad things. Some bad guys, probably in eastern europe will. And Equifax has no liability for making it possible for them to do so. See, they’re not the bad guys. They’re just doing their jobs, perhaps haphazardly. But their is little downside.

    • RD Blakeslee says:

      Kent, I hope one downside crops up pretty quickly: Lawsuits (or any other impetus) to make credit freezes much less problematical for applicants.

    • Carlada says:

      Why would a gun-seller hold any liability for something that legally went out their door? If I cut my finger off with a knife, do I hold the knife company liable because they made it? Do I sue my home builder if I fall down the stairs in my home?

      Are you racist? “bad guys in eastern europe” comment is pretty bad and sad.

      • Kent says:

        I’m sorry, did I say a gun-seller should hold any liability? Let’s see what I said:

        “But it also assigns zero liability to the person who sold the psychopath the gun in the first place.”

        Nope, didn’t say he should be held liable. Just that he isn’t. A simple statement of fact.

        “Are you racist? “bad guys in eastern europe” comment is pretty bad and sad.”

        Nope, not a racist. Racism assumes treating someone differently based upon their perceived race. Eastern European is not actually a race. If I said “bad white guys”, now that would have been racist and sad.

        That having been said, it’s because part of my job is tracking computer security issues. And the best (or worst) actors come out of eastern Europe. I personally believe that is because the Internet kind of kicked off at the same time the USSR imploded. And a whole bunch of young, smart guys (and gals, lest I be called a sexist) in eastern Europe needed a way to make a living. Russia, Bulgaria and Romania have most of the best hackers on the planet.

        So, did you get my analogy between the gun salesperson and Equifax? Or do you think Equifax should be held liable where the gun salesperson isn’t?

        • Carlada says:

          Is there a reason my honest, forthright, simple, clear comments to two replies to me were removed? I guess truth really does hurt. Pathetic.

        • Wolf Richter says:

          I should have removed the last line of your first comment on the topic. That would have stopped that entire nonsensical detour. But by the time I got to it, Kent had already responded. So I let it go. It was an obnoxious line and totally off the mark.

      • steelhead says:

        If the safety latch is defective, the knife company does have liability if the individual pursues it.

        • Carlada says:

          If —I— cut my finger off (myself!) with a knife [food preparation, no safety latches here], no they are not held liable. If a safety latch on a pocket knife is defective, that is a totally separate situation (so your thoughts weren’t needed here).

          What you’re trying to opine here is that, say, GM would be held responsible if someone used their Suburban as a 3-ton human-driven missile. No, they are not responsible. If GM failed to issue a recall on brakes flying off said vehicle, and driver rear ends someone because of this, yeah they might be held responsible! Not equal!

          A safety latch not working properly =/= someone using a gun to shoot someone else, and gun merchant being held responsible for another’s actions.

          I guess schools don’t teach logic or debate anymore.

    • d says:

      NO it isn’t

      Gun dealers lock up well before they go home Equifax dint even attempt to replace the broken lock for MONTH’S.

  11. DK says:

    Does anyone or agency, track the number of identities that are stolen and then actually utilized?…. for their respective financial damage? It would be interesting to see what kind of fall-out this creates besides the obvious fear factor reaction it’s currently causing.
    I’m thinking this is a lot like terrorism. The actual damage is a rounding error, but the mass phobia and panic reaction is the desired outcome.

  12. Boiled Coffee says:

    The big issue and first hurdle for any lawsuit to prevail against Equifax will be in demonstrating actual injury.

    That is why I can understand the class action suits. The injury is easy to demonstrate, which is that hundreds of millions of people now need credit monitoring service and the actual injury to each member would be relatively low, e.g. $10 per month. So this is the perfect case for class action, injury easy to prove, facts straight forward and there is a ready-made settlement available: coupons for class members for credit monitoring service.

    Outside of class action, I have a difficult time seeing how consumer lawsuits will prevail, unless it is small claims. If you were to claim that identify theft resulted in financial harm, you would need to demonstrate that they used your data acquired from Equifax and not another source. Otherwise, I don’t see how one could possibly meet minimum thresholds to get our of small claims court.

    attorney’s have a huge incentive because they will likely make millsion

  13. Winston says:

    Everyone needs to fully realize that this is not a temporary problem. Your personal data has been compromised FOR LIFE.

    • d says:

      It is highly possible that the current US credit reporting/score system, through these agencies, is effectively DEAD in the water also. As all the data in the system, is now compromised. FOR EVER.

      Today, if I was in credit and I ran a check and the data did not have a Lock/Freeze on it, my suspicions would be aroused instantly.

      • Chris R says:

        “It is highly possible that the current US credit reporting/score system, through these agencies, is effectively DEAD in the water also.” I agree & for most people that could be the best outcome.

        It’s a bit ridiculous for starters that following a subprime mortgage lending crisis & during a subprime car lending fiasco & during layers of QE & TARP to keep zombie banks going (with the aid of fraudulent accounting) that we all in a country with a $20 trillion & growing debt let a few corporations tell the world that any single American is a uniquely bad credit risk!

    • sparky says:

      Very true, Winston. A lifetime compromise!

      What I’d like to know since this was the 3rd hack @ Efax, were the names from hack #1 different from those of hack #2 and different again than those of hack #3?

      WAS this an ongoing accumulation harvest? Cui Bono? I read the most recent hack, (#3) was half of US population. PLUS — the chutzpah of those Corporate Officials dumping their corporate stock PRIOR to public announcement?

      Thanks Wolf for your efforts to delve more deeply into this stench.

  14. Johm Smith says:

    Easy to scream for handcuffs, but what law was broken? Stupidity is not a crime. And all those saying that bankers should be in handcuffs for the financial crisis forgot one thing … it was and still a felony to lie on a loan application. How many so called “working class” people blatantly lied on their mortgage application? For those wanting another example, search pension fraud on Long Island railroad. FBI had to get involved, but how come democrats didn’t recommend handcuffs or any bills for this crime? LIRR riders will be paying for this fraud for generations.

  15. TheKid says:

    Ok so I’m going to ask a dumb question here: what about the hackers themselves? Should we not be pursuing this group with the same level of anger?

    Don’t get me wrong, I do think that the Equifax execs deserve jail time, fines or at least to get canned. Their stewardship of private customer data was a complete failure and the initial response to this shows an arrogant contempt for their customers.

    The other side of the coin is that there is now a group of people who possess and will profit from information that doesn’t belong to them. This information will likely be sold to companies who may wilfully not ask questions while knowing where it came from.

    We should not be forgetting to point the finger at the hackers nor the people they sell to.

Comments are closed.