Former Georgia Gov. Roy Barnes (BOB ANDRES / BANDRES@AJC.COM)
Instead of notifying more than 143 million people of a breathtaking data breach that potentially compromised personal and financial information in their credit files, Equifax executives were selling their stock, a federal class action lawsuit claims.
On Thursday, soon after Equifax executives began going public about a massive hack of their credit files, former Georgia Gov. Roy Barnes filed the class action suit in federal court in Atlanta on behalf of all consumers whose data was compromised.
The suit accuses the Atlanta-based credit bureau of “gargantuan failures” in securing and safeguarding consumer information and compounding the resulting problems by failing to provide timely, accurate and adequate notice about the breach, which Equifax acknowledges occurred between mid-May and July.
Equifax acknowledged in public statements that it discovered on July 29 that the company’s credit data had been hacked. Barnes’ suit alleges Equifax delayed notifying consumers of the massive data breach, while three of the company’s top executives sold at least $1.8 million worth of stock.
The suit contends that Equifax Chief Financial Officer John Gamble sold Equifax shares worth $946,3874; Joseph Loughran, president of Equifax’s U.S. information solutions, exercised options to sell stock worth $584,099; and Rodolfo Ploder, president of the company’s workforce solutions, sold $250,458 worth of stock. The suit was filed on behalf of James McGonnigal, a Maryland resident who discovered that four unauthorized credit accounts had been opened in his name, and Brian F. Spector, a Florida attorney and mediator. Morgan & Morgan in Tampa has joined with the Barnes Law Group in bringing the class action.
On Friday, Barnes called the Equifax hack “monumental” and “a consumer’s worst nightmare.”
“You are talking about half the United States,” he said. For hackers and cyber-criminals, he added, “Credit bureaus are like a treasure trove.”
Barnes said he is “particularly concerned” that three Equifax executives sold hundreds of thousands of dollars in stock shares before the company went public with the data breach. “They said they didn’t know about the breach. … But it looks like they were looking after themselves, not everybody else,” he said.
The suit seeks as-yet-unspecified damages for negligence, violations of federal Fair Credit Reporting Act laws and Georgia’s Fair Business Practices Act statutes. Asked if he had any early estimate of the potential damages, Barnes replied, “We haven’t crossed that bridge yet.” The alleged damages would flow, in part, from potential fraud and identity theft resulting from personal identifying information being made available to criminals on internet black markets, according to the complaint.
Barnes is no stranger to data breach litigation. Barnes’ firm was one of four that represented a class of an estimated 50 million Home Depot customers whose personal and financial data was obtained by hackers in 2014 and then sold or traded on the dark web. The case, filed in federal court in Atlanta, settled last year for $27 million (including $7.5 million in legal fees.)
Morgan & Morgan partner John Yanchunis, who partnered with Barnes in the Home Depot customer class action, also signed on to the Georgia suit. Yanchunis also is lead counsel in the Yahoo data breach case involving hacks that potentially compromised data and information of as many as 500 million Yahoo customers. That suit was filed in February in the Northern District of California.
On Friday, Phyllis Sumner, a partner at Atlanta’s King & Spalding, confirmed that she is representing Equifax in matters associated with the data security breach. Sumner declined further comment. The Daily Report has contacted but not yet reached Equifax’s communications spokeswoman for comment.
Barnes’ class action is one of two filed Thursday associated with the Equifax data breach. Los Angeles firm Geragos & Geragos joined with Portland, Oregon, firms Olsen Daines and Baxter & Baxter in filing a similar class action against Equifax in federal court in Oregon that, like the Georgia litigation, accuses Equifax of negligence in allegedly failing to maintain adequate technological safeguards that would protect consumers’ personal and financial information and credit histories from unauthorized access by hackers. Equifax, the Oregon suit alleges, “should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
That class action, filed on behalf of Oregon residents Mary McHill and Brook Reinhard, suggested that damages could exceed $68.6 billion. The complaint also said an estimated 2.8 million consumers in Oregon alone, about half the state’s population, were likely affected by the Equifax hacks.
On Friday, Kansas City firm Stueve Siegel Hanson, also a veteran of the Atlanta Home Depot data breach litigation, joined with Barnes to file a third complaint against Equifax in federal court in Atlanta.
Stueve Siegel partner Norman Siegel said that, given the scope of the breach, he would “anticipate scores of lawsuits filed over the next several days.”
On Thursday, Equifax announced that “criminals” had exploited “a U.S. website application vunerability” to gain access to Equifax files. The company claimed that it has “found no evidence of unauthorized activity” of what it described in a news release as Equifax’s “core consumer or commercial credit reporting databases.”
But it acknowledged that hackers had accessed names, Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers. In addition, Equifax said that credit card numbers belonging to 209,000 U.S. consumers, as well as documents involving credit disputes by another 182,000 consumers whose credit reports Equifax has on file, were also compromised.
The hacked information was not limited to U.S. consumers, the company acknowledged. Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents
Equifax also said in Thursday’s announcement that it engaged “a leading, independent cybersecurity firm” which conducted a forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax said it also reported the criminal access to law enforcement, although it did not identify the agencies it notified.
Scott Flaherty contributed to this report.