Equifax left sensitive consumer information exposed to hackers by relying on a computer code it should have known was vulnerable to attack and without having safeguards to protect the data, the state of Massachusetts said in a lawsuit filed Tuesday.
It's the first lawsuit filed by a state against the credit reporting agency for the massive hacking that was revealed earlier this month.
The state's attorney general said still-unidentified third parties entered Equifax's system through a section of its website where consumers could dispute information on their credit reports. The hackers were in the system from mid-May through July without Equifax detecting them, the lawsuit said.
What's more, Equifax didn't upgrade security for its website even though such fixes were available as early as March, and it didn't put in safeguards like encryption that would have protected the data, the state said.
On CNBC's "Power Lunch" Tuesday, Massachusetts State Attorney General Maura Healey said, "Equifax needs to make this right. They need to pay for their mistakes in leaving so many of us so vulnerable."