Tami Chappell | Reuters
Credit reporting company Equifax corporate offices are pictured in Atlanta, Georgia, September 8, 2017.
Equifax has been scrambling to respond to the outpouring of criticism about the breach, in which hackers took personal information like Social Security numbers, names, addresses and birth dates for up to 143 million consumers. The company said it discovered it in late July. It didn’t disclose it publicly until Sept. 7.
Some critics have pointed out that Equifax might have prevented the issue by moving more quickly to update the security. A flaw in a web application it used was exposed in March and the developer, Apache Software Foundation, issued a remedy.
Equifax has said it discovered the breach July 29 and blocked suspicious traffic. It said it saw more suspicious activity on July 30 and took the application offline. It also said it was aware of the vulnerability disclosed in March and took efforts to identify and patch any vulnerable systems.
After Equifax announced the breach, the Apache foundation said the data were compromised by Equifax’s “failure to install the security updates in a timely manner.”
Massachusetts had previously announced plans to file the lawsuit, which is seeking unspecified civil penalties and other relief. Several other states have banded together to investigate, and members of Congress have demanded that Equifax executives travel to Washington to testify. The Federal Trade Commission also said it is investigating.
The July hack followed a data breach in March involving a payroll and tax service Equifax offers, though the company said the two intrusions are not related. In that earlier breach, hackers managed to reset passwords for employees of some companies that used the service and then were able to take payroll and tax information.
In a statement to CNBC, an Equifax spokesman said the company told customers, affected individuals and regulators. “The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” the statement said. “The two events are not related.”