San Francisco sues Equifax over massive data breach

Last updated:

Equifax is being sued by the city of San Francisco. City Attorney Dennis Herrera has filed a lawsuit against the credit reporting agency in San Francisco Superior Court for “failing to protect the personal data of more than 15 million Californians,”.

The lawsuit further accuses Equifax of violating California state law, failure to provide a timely notice of the data breach to affected Californians and failure to provide complete, plain and clear information.

San Francisco is the first city in the country to sue Equifax over the massive data breach that compromised the personal information of 143 million U.S. consumers.

The company disclosed the breach on Sept. 7, 2017, six weeks after it learned its system had been compromised.

Herrera stated,

“Equifax’s incompetence would be comical if the subject matter weren’t so serious,”

“This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come.”

According to the lawsuit filed in San Francisco Superior Court on behalf of the people of the State of California, Equifax violated state law governing unlawful, unfair or fraudulent business practices by:

  • failing to implement and maintain reasonable security procedures and practices
  • failing to provide timely notice of the data breach to affected California consumers
  • when it finally provided notice, failing to provide complete, plain and clear information

The lawsuit seeks restitution for California consumers who purchased credit monitoring services from Equifax prior to Sept. 7, 2017, civil penalties of up to $2,500 per violation of the law, and a court order requiring Equifax to implement and maintain appropriate security procedures for the highly sensitive information it handles.

Equifax collects names, phone numbers, addresses, social security numbers, dates of birth, financial account information and other data for 820 million consumers worldwide.

However, it uses an open-source software called Apache Struts on its website. Equifax didn’t install a freely available “patch” to fix a vulnerability with the software after that security problem was detected and publicly announced on March 7, 2017 by various organizations.  Equifax could have prevented the data breach by implementing the free patches and fixes provided by the Apache Software Foundation in March 2017.

“When you’re dealing with highly sensitive information, keeping your software up to date is such a basic step,” Herrera said.

“Equifax also could have encrypted this information or segmented the data in separate databases to prevent hackers from being able to access all of a person’s information at once.  Equifax did none of that.”

Instead, from May 13, 2017 to July 30, 2017 someone hacked into Equifax’s computer system using the vulnerability and stole data impacting 143 million people, or roughly 44 percent of the U.S. population. Equifax discovered the data breach on July 29, 2017 but didn’t alert customers to the problem until it posted a notice on its website on Sept. 7, 2017, six weeks later.

“Equifax made a bad situation worse,” Herrera said. “Their delay prevented more than 15 million California consumers from taking immediate action to protect themselves from the risk of identity theft and fraud.”

California law requires entities that do business in the state to notify the owner or licensee of the information about a data breach “immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person.”

The notice that Equifax finally posted contained confusing and misleading information and didn’t include information required under California law.


Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies.Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services