Massachusetts is now the first state in the nation to sue Equifax over its massive data breach that potentially impacted 143,000,000 Americans.
State Attorney General Maura Healey did not mince words:
“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” she said.
The suit also says Equifax could have helped protect consumers by encrypting the data it holds, but the company failed to do so.
“In all of our years investigating data breaches, this may be the most brazen failure to protect consumer data we have ever seen,” the Attorney General said.
Warnings From Apache and NIST Ignored
The 28-page lawsuit filed in Massachusetts Tuesday, September 19, spends considerable time on the failure of Equifax to patch a known vulnerability in the Apache Struts framework which was the hacker method of entry.
- Warning from Apache: The state says the company ignored a March security bulletin directed to "All Struts2 developers and users" which warned software was vulnerable to Remote Code Execution (RCE). The bulletin labeled the vulnerability and update as the highest level of "critical."
- Warning from NIST: The lawsuit includes a NIST notice on the Apache Struts vulnerability as an exhibit to the court. It says NIST cited the Common Vulnerability Scoring System (“CVSS”) and ranked the risk as a 10.0 which is the highest level. It also quotes the NIST bulletin:
"The NIST Notice also stated that an attack based on the vulnerability “[a]llows unauthorized disclosure of information,” would be low in complexity to accomplish, and would not require the attacker to provide authentication (for example, a user name and password) to exploit the vulnerability. The NIST Notice also documented over twenty other website resources for advisories, solutions, and tools related to the March Security Vulnerability and how to patch or fix it."
Consumers Have No Choice - Their Data Is Held By Equifax
There have been a lot of lessons from the Equifax breach. Many Americans were surprised to learn that Equifax knew all about them even if they did not know about Equifax. The state of Massachusetts paints this picture for the court:
"Consumers do not choose to give their private information to Equifax, and they do not have any reasonable manner of preventing Equifax from collecting, processing, using, or disclosing it. Equifax largely controls how, when, and to whom the consumer data it stockpiles is disclosed. Likewise, consumers have no choice but to rely on Equifax to protect their most sensitive and personal data. Accordingly, it was and is incumbent on Equifax to implement and maintain the strongest safeguards to protect this data. Equifax has failed to do so."
The lawsuit says it seeks restitution and other remedies so that in the aftermath of this mega-breach, the company is not allowed to 'prioritize profits over the safety and privacy of consumers.'
For the latest developments and original stories around cybersecurity, follow SecureWorld on LinkedIn, Twitter or Facebook.
