Equifax Inc. violated Indiana consumer protection laws in connection with its massive 2017 data breach, the state attorney general is alleging in a new lawsuit.
Almost 4 million Hoosiers—nearly two-thirds of the state’s population—had data compromised in the breach, Attorney General Curtis Hill (R) said May 6 in announcing the lawsuit, which seeks damages and an injunction against the credit scoring company.
Indiana became the third state to sue Equifax over the breach, which compromised personal information of about 147.9 million Americans. Massachusetts and West Virginia have alleged Equifax should have done more to protect consumer data, which included credit card numbers, social security numbers, birth dates, addresses and driver’s license numbers. Massachusetts’s September 2017 lawsuit and West Virginia’s April 2018 lawsuit are pending.
Equifax is reviewing the Indiana complaint and can’t comment on pending litigation, company spokesman Wyatt Jefferies said in a email.
Equifax didn’t timely patch a vulnerable online dispute portal, allowing hackers to invade their system, according to Indiana’s complaint. The state claimed Equifax’s failure to protect the data, and misrepresentations about the company’s security, violated the Indiana Deceptive Consumer Sales Act. Equifax also allegedly failed to notify affected consumers as required by state law.
Christopher Proffitt, a spokesman for Hill, said Indiana waited to sue because it first conducted a thorough investigation and “wants to obtain information to determine whether and what alleged violations of Indiana law may have been perpetrated by an individual or business prior to filing a lawsuit and that filing a lawsuit is the last resort.”
The case is: Indiana v. Equifax Information Services LLC, Ind. Cir. Ct., complaint filed 5/6/19. Marion County Circuit Court hasn’t given the lawsuit a case number yet.