Skip to content
Naked Security Naked Security

Equifax is facing a towering pile of class action law suits

More than 70 different class action suits are in the works

Remember how deposed Equifax CEO Rick Smith got trotted around Capitol Hill to have his wrist metaphorically slapped by several congressional committees following what security journalist Brian Krebs so memorably referred to as the “dumpster fire” of a breach?

…and remember how we told you not to hold your breath with regards to real reform in the data brokerage industry? After all, in spite of congressional members saying that the company’s pre- and post-breach actions/inactions “smelled really bad,” there was zero talk of serving Equifax execs with subpoenas.

Well, subpoena time may have gotten yet another class-action lawsuit closer. If Washington isn’t going to slap some payback out of Equifax, then hopefully one or more of the 70+ class action lawsuits filed since the breach was disclosed on 7 September 2017 will do some good.

The law firm of Strimatter Kessler Whelan just filed another one: a national class action complaint (PDF) against Equifax in the US District Court of the Western District of Washington, in Seattle. The case is still in its early stages, but the law firm says it’s signed three named plaintiffs.

A woman who believes she’s one of the 140 million victims says her identity has been stolen 15 times since the breach.

Katie Van Fleet, of Seattle, says she’s received letters from stores including Kohl’s, Macy’s, Old Navy and Home Depot, thanking her for her credit applications. Nope, didn’t apply for any such, Van Fleet says. She and her Strimatter attorney, Catherine Fleming, believe that her personal data was stolen during the Equifax hack.

It’s a fine kettle of fish to be forced to deal with when you’re trying to buy a house, as is Van Fleet. What’s particularly galling is that neither she nor any of us have a choice about credit reporting agencies gobbling up our data, she says… and then disgorging it upon the internet:

I feel very helpless. I didn’t sign up to Equifax so I feel all of that stuff has been taken and I’m left here trying to sweep up the pieces and protect myself and protect my credit.

The Seattle suit is alleging that, among other things, Equifax…

  • “Willfully, knowingly, callously, recklessly, and negligently” let hackers get at the personally identifying information (PII) of more than 100 million US citizens, green card holders and business customers without their prior express consent, and “without regard” for what would be done with the data.
  • “Exploited the harm” done to the victims with an incident response site that offered the “deceptive promise” of one year of free credit monitoring by its wholly owned subsidiary, TrustedID, in exchange for users waiving their right to pursue legal action.
  • Knew, or should have known, about the breach when it happened or soon thereafter, but three company execs cashed in almost $2 million worth of shares weeks before they told shareholders or affected consumers and business owners.

The suit alleges that Equifax is forcing people or businesses to give up the right to sue it but the company, given a good bit of grief over the issue, updated its policy on 11 September to state that:

…enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.

The suit alleges that it’s “unfair, deceptive and otherwise wrongful conduct under state and federal law” for Equifax to “[create] the illusion that Plaintiffs and other consumers may benefit” from the cash cow that is TrustedID.

Stritmatter has another term for Equifax’s TrustedID credit monitoring: it’s calling it “profiteering.”

No one should feel safe about this breach after one year. Typically, bad actors hold onto Personally Identifiable Information for a period of time with the intent of escaping the breach victim’s attention.

Indeed, bad actors can hold onto our PII for years: long enough for the Equifax breach, and the company’s jaw-dropping sloppiness before and after the breach, to fade from the headlines and from the collectively short attention span of Capitol Hill; long enough for some of us to get tired of the inconveniences of credit freezes and free up our credit so we can carry on with life as we take out mortgages, buy cars, apply for credit lines and so on.

If you’re thinking about joining a class action suit against Equifax, there are a few things to keep in mind.

For one, as pointed out by Consumer Reports, if you join a class action, alleging serious financial, physical, or other harm, you give up your right to sue a company on your own.

Keep in mind that proving an individual’s loss is going to be tough. Another proposed class-action lawsuit filed in Oregon accuses the company of negligence by failing to take appropriate measures to protect consumer data. It estimates billions of dollars in losses.

How much loss has any individual suffered? Well, that amounts to the grand total of $19.95 – the amount one of the Oregon plaintiffs paid for a third-party credit monitoring service after the breach was announced, according to the complaint.

Can anybody put a dollar sign on the amount of work and aggravation that somebody like Van Fleet has gone through to clean up her credit report and the onslaught of identity theft she’s suffered?

At this point, it’s up to lawyers, and the courts, to ascertain.


The problem is Congress can say what they want but their actions tell a very different story. Senate has dismantled a Consumer rule in regards to Arbitration. The vote was 51-50 with Mike Pence casting the deciding vote.


Correct, how can consumers get a legal break if our congressman (supposed to be representatives of the people) side with the banksters?
They have in affect taken away our right to legal remedy when a financial institution has defrauded us (consumers) or acted in a negligent way with our most personal information!


With a little luck 70 lawsuits will be juuuuust enough to put Equifax out of business** and bring The Big Three down to two (or four down to three if we count Innovis, which I’d never heard of before the Equifax story broke).

** Heartfelt apologies to those employed there earning sustenance to feed their families, and semi-sincere apologies to those who make cash sharing and checking my credit score for reasons benefitting themselves more than benefitting me.


Forgive me Miss Vaas but this is nothing more than a feeding frenzy among the sharks. I dare say that only a very small percentage of these cases will make it to court and of those that win a verdict for will be overturned in appeals. Any hope of justice for us mere mortals lay with our Government. It was their rules that allowed this to happen. Buying our personal information is big business and an invasion of our privacy. Class Action Suites are a waste of time. Give me a solution that works not a fight in a battle that I will eventually lose. Thank you for a fine article.


Hopefully, but doubtful, that this individual froze her credit when we all became aware of this breach. I immediately took action after I submitted my info to Equifax and was told that my social security number had been compromised. So far, I have had no credit issues.


The only class to benefit from these class action lawsuits is the attorney class, and the only action is the transfer of someone else’s money to their pockets,


Have any of the suits been of what I consider the “Holy Grail” of lawsuit material: emotional distress? For that, we don’t have to prove actual damages, just that we were forced to worry about it by the company’s negligent actions and that Equifax actually had our data (i.e. we actually had something to worry about).
Just one of that kind of suit being won would cause all such companies to really crank up security.
A company with that kind of information simply can’t be allowed to be breached. The data’s integrity should be their number one priority. Obviously, it wasn’t at Equifax, and that will hopefully cost them their company. We can only hope that the executives can spend some time behind bars, too.


How can I get involved in the lawsuit.


From the Stritmatter site: “For those interested in learning more directly from us, please email us at and read our “FAQs for Interested Clients” at the bottom of the page. Please check back frequently, as we will continue to provide updates by way of this webpage.”

As Tracy commented above, we don’t know how many of these class actions will make it to court. You might want to check out the other ones: I haven’t searched for, nor researched, all the 70+ class actions being organized. But FWIW, New York AG Eric Schneiderman is investigating, and he impresses me.


Thank you for the followup Miss Vaas. It is possible that if enough people get involved then there may be a slim chance that Equifax will feel some sting from this. In my opinion it will take all of the Suites being pooled and some smart people who are not, “Just out for the money”, to get some results. As for Mr. Schneiderman, I hope you are right. I have read some of his opinions and I find he and I are in disagreement an a few. You must forgive an old man his weakness for rants. As for the fore mentioned New York A.G., that discussion of is best done elsewhere.


can I get involved


If you are referring to the Class Action Suites then Miss Vaas posted a link in her comment to the Stritmatter site. There is some good information there. Other ways to get involved would be to engage your friends and neighbors to confront your State Attorney General, State Representative and local Congressman to let them know that you are displeased with the situation and want something done. In the mean time you should take steps to protect yourself. There are some fine articles here that may help point you in the proper direction to that protection.


The big problem is that these hackers can hold your data for a year or more and then use it. By then we have no idea if it really was from Equifax or something else.

These companies need to be held to a very high standard and when something like this happens then heads need to roll and massive fines need to be levied. Otherwise these companies do not care.

5 years from now I might be looking for a new home only to find out that somehow I just purchased a home a year before and never made a payment on it. The burden of proof then falls on me to convince these same companies that my identity was stolen. Sadly, only congress can really do something and we have seen so far that they are only showboating and Equifax will walk away losing some stock market value and nothing else. Those exec’s, they got cushy severance payments and they are now going to retire on a beach sipping fruity drinks and live their days out.

We the little people are the ones to lose out.


Here’s to hope that real monetary victims of this will step out of thier complacency and provide the evidence of financial loss that has been hidden from us for all these years of online reality.

I don’t believe the average class action suit payout of $20/claimant reflects the true system-wide financial losses. And I think the reason for this is the industry self-preservation reaction has been to cover the loss directly (i.e., credit card companies pay the thief’s bills) and pass it back to all consumers as part of thier business model. This cover-up provides little financial incentive for forceful consumer reactions to correct the root causes of the problem.

Compound the above scenario with political complacency and inadequate education on the value of our constitutional rights to privacy, which our digital world places squarely into the abstract, and we have a receipe for personal financial and national ruin.

So, here’s to hope we will recover from future ruiness economic impacts of this and fix it before it takes away democracy and freedom as we know it today.


I hope they get sued out of existence. Let their company go under. That will serve as an example to the remaining on how they should conduct themselves.


Suing them out of existence hurts the low- and mid-level employees. The high-level employees withheld information about the breach until they had sold all their stock and stock options, then retired on generous pensions, leaving their successors to deal with the breach. Probably no one will go after them.


Some good news: Washington State has a new bill before the legislature to eliminate their current $10 charge for freezing and un-freezing credit reports. Yea!

Other states in the majority on this situation should follow Washington’s lead. No more fees to get protection we deserve!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!