kantver - Fotolia

Equifax faces small business class action over data breach

Small businesses in the US have filed a class-action lawsuit against credit rating firm Equifax, representing millions of others affected by a breach of personal data

Small businesses are suing credit rating firm Equifax for current and future damages resulting from the data breach in mid-2017 that was reported only in September.

Around a month after the breach is believed to have taken place, Equifax revealed that more than 140 million US and Canadian consumers around 400,000 UK consumers were affected by the breach.

Following a forensic investigation by cyber security firm Mandiant, Equifax announced that the breach was believed to have exposed the names, social security numbers, birth data, addresses and, in some cases, driver’s license numbers of 143 million US consumers.

In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.

An estimated 28 million small businesses face special risk of suffering multiple damages arising from the breach, according to the class-action lawsuit complaint filed by attorneys with The Doss Firm.

The complaint cites a warning by the state of Colorado that identity theft is a crime that affects more than nine million people and costs over $56bn to the economy every year, according to the Better Business Bureau.

According to the warning, business identity theft  – also known as corporate or commercial identity theft – is a new development in the criminal enterprise of identity theft.

In the case of a business, a criminal will hijack a business’s identity and use that identity to establish lines of credit with banks or retailers. With these lines of credit, the identity thieves will purchase commercial electronics, home improvement materials, gift cards, and other items that can be bought and exchanged for cash or sold with relative ease.

The damage can be devastating to the victim’s business, and the impact on the victim’s credit history can lead to denial of credit, which can lead to operational problems, the warning said.

‘Double whammy’ for small businesses

The complaint alleges that Equifax unduly put small business operators at risk in terms of the cost of Equifax business reports, the availability of credit and exposure to business identity theft, which often is directly linked for small business owners to their personal credit.

According to the complaint filed in the Atlanta division of the US district court for northern Georgia:  “Unlike consumers who are entitled under federal law to obtain one free credit report annually, businesses must pay for their credit reports.

“Many of the 143 million individuals whose PII [personally identifiable information] was hacked are also owners of small businesses that heavily rely on personal and business credit to operate and provide for families across this country.”

Attorney Jason Doss said:  “This is a real double whammy situation for small business owners whose access to credit can often live or die in terms of their personal creditworthiness. The breach could either damage the business directly through identify theft or it could cripple access to small business credit by damaging the ‘linked’ credit of the individual who owns the enterprise.”

According to the complaint, about 60% of small businesses use loans to finance their operations, and use the loan capital for a variety of purposes, ranging from maintaining cash flow and working capital to purchasing equipment and financing real estate purchases. 

“The ability of small businesses to obtain loans and other forms of credit is dependent on the creditworthiness of the business owner,” the complaint states.

A note in the complaint states that the US Small Business Administration (SBA), for example, requires all businesses applying for an SBA loan to submit a personal financial statement for the business owner as part of the loan application process.

Equifax said while around 400,000 UK consumers were affected by the breach, the leaked data was restricted to: name, date of birth, email address and a telephone number, making identity takeover “unlikely”.

However, the company said it would be contacting affected UK consumers in writing to offer them a free comprehensive identity protection service.

Equifax investigation still ongoing

The plaintiffs named in the US legal complaint include real estate firms, a law firm, and a consulting firm.

The class-action lawsuit seeks to recover damages, including time spent monitoring financial accounts for signs of ID theft or other criminal activities and legal costs.

The company identified a known and patched vulnerability in the Apache Struts web application framework as the initial attack vector. Equifax said it was aware of the vulnerability before the breach and had taken steps to identify and patch any vulnerable systems.

While the breach appears to be the result of a failure in the company’s patching regime as at least one vulnerable system was overlooked, Equifax has implied that other factors may have been involved.

The company said in a statement: “While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available.”

Days after reporting the breach, Equifax announced that chief information officer Susan Mauldin and chief security officer David Webb were “retiring” and that Mark Rohrwasser and Russ Ayres would take over the roles with immediate effect.   

Read more about the Equifax breach

  • Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems
  • Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
  • While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.

Read more on Privacy and data protection