Credit-reporting giant Equifax was hit with a class-action lawsuit within hours after disclosing that a cyberattack had potentially compromised personal information for 143 million U.S. consumers.
Filed in Oregon federal court late Thursday, the civil action accuses the Georgia-based company of failing to maintain adequate electronic security safeguards as part of a corporate effort to save money.
The lawsuit on behalf of plaintiffs Mary McHill and Brook Reinhard seeks an order requiring Equifax to preserve all records related to the breach and formally designating the case as a class-action for all consumers affected by the cyberattack.
The court complaint also seeks "fair compensation" and costs to be decided by a federal jury.
"In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect Ms. McHill and Mr. Reinhard's information from unauthorized access by hackers," Oregon attorney Michael Fuller wrote in the complaint.
"Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach."
News of the cyberbreach immediately prompted Reinhard to pay $19.95 to pay for third-party credit monitoring services "he otherwise would not have had to pay for," the lawsuit charged.
Equifax did not immediately respond to a message seeking comment on the case.
The scope of the cyberbreach — potentially affecting nearly half of the nation's population — instantly vaulted made the attack into the ranks of the largest electronic data compromises in U.S. history.
"With so many people possibly at risk, this is among the most serious attacks ever," said Avivah Litan, a security analyst at technology research giant Gartner. "You should probably just assume your information has been breached."
The FBI said it was "aware of the reporting and tracking the situation as appropriate." New York Attorney General Eric Schneiderman issued a consumer alert and started a formal investigation in which his office requested more information from Equifax.
On Capitol Hill, Rep. Jeb Hensarling, R-Texas, who chairs the House Committee on Financial Services, said the panel would hold a hearing to examine the cyberattack. Sen. Tammy Baldwin, D-Wisc., urged leaders of the Senate Committee on Commerce, Science, & Transportation to do the same.
Equifax said the cyberattack was discovered on July 29 and was carried out from mid-May to July 2017. The breach primarily involved names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers for U.S. consumers, said Equifax.
The suspected criminal hacker or hackers behind the attack also gained access to credit-card numbers for approximately 209,000 consumers, along with certain dispute records with personal identifying information for roughly 182,000 consumers, Equifax said.
Additionally, the company identified unauthorized access to limited personal information for certain residents of the United Kingdom and Canada.
However, Equifax said there was no immediate evidence of improper activity on the company's core consumer or commercial credit-reporting databases.
Some consumers complained about the nearly six-week lag between the discovery of the attack and Equifax's public disclosure. The company said it took immediate steps to halt the intrusion and hire an independent cybersecurity firm to evaluate the breach and its impact.
"Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so," Equifax said.
The company dedicated and launched a new website, www.equifaxsecurity2017.com, to help consumers determine whether their personal information may have been accessed and sign up for one year of free credit file monitoring and identity theft protection.
Equifax, along with Experian and TransUnion, is one of the three-largest credit-reporting firms in the U.S. The company organizes and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide. Equifax's databases hold employee data submitted by more than 7,100 employers.
However, some consumers complained about delays in getting access to the website and additional delays in formalizing their registrations.
My enrollment date is 9/12. WHY NOT RIGHT AWAY?! And why is it MY responsibility to go back on the site on that day?! #equifaxbreach— Dagmar Bleasdale (@DagmarBleasdale) September 8, 2017
The breach represents the third significant cybersecurity threat at Equifax in recent years. Hackers in 2016 stole federal W-2 tax information from an Equifax website. Identity thieves earlier this year also stole W-2 tax information from an Equifax subsidiary, TALX, which provides online payroll services.
Follow USA TODAY reporter Kevin McCoy on Twitter: @kmccoynyc