SAN JUAN – The Commonwealth of Puerto Rico has sued credit bureau Equifax for failing to protect the identity of more than one million people following last year’s data breach. No specific amount in damages was provided.
More than one million island residents may have been affected by the cyberattack Equifax announced on Sept. 7, 2017, which impacted more than 143 million U.S. consumers.
“By failing to protect confidential consumer information, Equifax exposed over half of the adult population of Puerto Rico to the risk of identity theft, tax return scams, financial fraud, health identity fraud, and other harm. Affected consumers have spent, and will continue to spend, money, time, and other resources attempting to protect against an increased risk of identity theft or fraud, including by placing security freezes over their credit files and monitoring their credit reports, financial accounts, health records, government benefit accounts, and any other account tied to or accessible with a social security number. The increased risk of identity theft and fraud as a result of the Data Breach also has caused Puerto Rico consumers substantial fear and anxiety and likely will do so for many years to come,” the lawsuit filed Thursday in U.S. District Court reads.
From at least March 7, 2017, through July 30, 2017, Equifax left at least 143 million consumers’ sensitive and private information exposed and vulnerable to thieves and hackers by relying on certain open-source code, called Apache Struts, that Equifax knew or should have known was insecure and subject to exploitation, the suit says.
“Although patches, workarounds, and other fixes for the vulnerability were available and known to Equifax as of March 7, 2017, Equifax failed to utilize these public and available remedies or employ proper security controls, such as encryption or multiple layers of security, that were sufficient to protect consumers’ personal data,” the suit adds.
Back in September, Consumer Affairs Secretary Michael Pierluisi clarified that the breach did necessarily mean Puerto Rico residents had been victims of identity theft.
The representative for the District of Carolina, Rep. Ángel Matos, introduced an investigative resolution (Joint House Resolution 554) to order the Consumer, Banking and Insurance Committee to investigate the reasons for cyberattacks and their effects on the island.
Massachusetts also sued Equifax, with the judge rejecting Equifax’s argument that the Commonwealth did not adequately allege that Equifax owns or licenses personal information according to state law.
“An entity that creates and owns proprietary databases containing consumers’ personal information would appear to ‘own’ that information,” the judge said.
In late July 2017, Equifax discovered that criminals had gained access to company files containing, among other information, names, social security numbers, dates of birth, addresses and driver’s license numbers, and in some cases credit card numbers.
The company offered an online tool for consumers to identify if they were potentially affected. The address is www.equifaxsecurity2017.com.
In addition, the company offered credit-monitoring reports free-of-charge to those affected.