Massachusetts says Equifax hack exposed more than half the state to risk of fraud

Equifax acknowledges a second security 'incident'

EQUIFAX left sensitive consumer information exposed to hackers by relying on a computer code it should have known was vulnerable to attack and without having safeguards to protect the data, the state of Massachusetts said in a lawsuit filed Tuesday.

It’s the first lawsuit filed by a state against the credit reporting agency for the massive hacking that was revealed earlier this month.

The state’s attorney general said still-unidentified third parties entered Equifax’s system through a section of its website where consumers could dispute information on their credit reports. The hackers were in the system from mid-May through July without Equifax detecting them, the lawsuit said.

What’s more, Equifax didn’t upgrade security for its website even though such fixes were available as early as March, and it didn’t put in safeguards like encryption that would have protected the data, the state said.

“We allege that Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” state Attorney General Maura Healey said in a statement.

The company did not immediately respond to a CNBC request for comment about the lawsuit, which was filed in Suffolk County Superior Court.

In the lawsuit, Massachusetts says Equifax’s failure to secure consumer information means it has exposed more than half the state’s adult population to the risk of identity theft, tax return scams, financial fraud, health identity fraud and other harm.

Credit reporting company Equifax corporate offices are pictured in Atlanta, Georgia, September 8, 2017.

Tami Chappell | Reuters
Credit reporting company Equifax corporate offices are pictured in Atlanta, Georgia, September 8, 2017.

Equifax has been scrambling to respond to the outpouring of criticism about the breach, in which hackers took personal information like Social Security numbers, names, addresses and birth dates for up to 143 million consumers. The company said it discovered it in late July. It didn’t disclose it publicly until Sept. 7.

Some critics have pointed out that Equifax might have prevented the issue by moving more quickly to update the security. A flaw in a web application it used was exposed in March and the developer, Apache Software Foundation, issued a remedy.

Equifax has said it discovered the breach July 29 and blocked suspicious traffic. It said it saw more suspicious activity on July 30 and took the application offline. It also said it was aware of the vulnerability disclosed in March and took efforts to identify and patch any vulnerable systems.

After Equifax announced the breach, the Apache foundation said the data were compromised by Equifax’s “failure to install the security updates in a timely manner.”

Massachusetts had previously announced plans to file the lawsuit, which is seeking unspecified civil penalties and other relief. Several other states have banded together to investigate, and members of Congress have demanded that Equifax executives travel to Washington to testify. The Federal Trade Commission also said it is investigating.

The July hack followed a data breach in March involving a payroll and tax service Equifax offers, though the company said the two intrusions are not related. In that earlier breach, hackers managed to reset passwords for employees of some companies that used the service and then were able to take payroll and tax information.

In a statement to CNBC, an Equifax spokesman said the company told customers, affected individuals and regulators. “The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” the statement said. “The two events are not related.”