- Massachusetts is suing Equifax seeking unspecified civil penalties and other relief.
- It's the first lawsuit filed by a state against Equifax for the hacking.
- The data breach affects 143 million people, some 3 million of them in Massachusetts, as investigations by multiple states continue.
Equifax left sensitive consumer information exposed to hackers by relying on a computer code it should have known was vulnerable to attack and without having safeguards to protect the data, the state of Massachusetts said in a lawsuit filed Tuesday.
It's the first lawsuit filed by a state against the credit reporting agency for the massive hacking that was revealed earlier this month.
The state's attorney general said still-unidentified third parties entered Equifax's system through a section of its website where consumers could dispute information on their credit reports. The hackers were in the system from mid-May through July without Equifax detecting them, the lawsuit said.
What's more, Equifax didn't upgrade security for its website even though such fixes were available as early as March, and it didn't put in safeguards like encryption that would have protected the data, the state said.
On CNBC's "Power Lunch" Tuesday, Massachusetts State Attorney General Maura Healey said, "Equifax needs to make this right. They need to pay for their mistakes in leaving so many of us so vulnerable."
The lawsuit was filed in Suffolk County Superior Court.
In a statement, an Equifax spokesperson said, "We cannot comment on pending litigation. Equifax reached out to state and federal regulators at the time of the public announcement to inform them of the breach and to establish open lines of communications. Since then, Equifax has been in regular communication and is cooperating with federal agencies, regulators and state attorneys general. Equifax has agreed to provide testimony to Congress and we will continue to work with all these parties to resolve the issues."
In the lawsuit, Massachusetts says Equifax's failure to secure consumer information means it has exposed more than half the state's adult population to the risk of identity theft, tax return scams, financial fraud, health identity fraud and other harm.
Equifax has been scrambling to respond to the outpouring of criticism about the breach, in which hackers took personal information like Social Security numbers, names, addresses and birth dates for up to 143 million consumers. The company said it discovered it in late July. It didn't disclose it publicly until Sept. 7.
Some critics have pointed out that Equifax might have prevented the issue by moving more quickly to update the security. A flaw in a web application it used was exposed in March and the developer, Apache Software Foundation, issued a remedy.
Equifax has said it discovered the breach July 29 and blocked suspicious traffic. It said it saw more suspicious activity on July 30 and took the application offline. It also said it was aware of the vulnerability disclosed in March and took efforts to identify and patch any vulnerable systems.
After Equifax announced the breach, the Apache foundation said the data were compromised by Equifax's "failure to install the security updates in a timely manner."
Massachusetts had previously announced plans to file the lawsuit, which is seeking unspecified civil penalties and other relief. Several other states have banded together to investigate, and members of Congress have demanded that Equifax executives travel to Washington to testify. The Federal Trade Commission also said it is investigating.
The July hack followed a data breach in March involving a payroll and tax service Equifax offers, though the company said the two intrusions are not related. In that earlier breach, hackers managed to reset passwords for employees of some companies that used the service and then were able to take payroll and tax information.
In a statement to CNBC, an Equifax spokesman said the company told customers, affected individuals and regulators. "The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event," the statement said. "The two events are not related."