SALT LAKE CITY — Five Utahns sued Equifax for $5 billion Monday, claiming the massive breach of the company's credit monitoring data has compromised their personal information and put them at risk for identity theft.
Equifax failed to implement adequate security measures to safeguard consumers' personal information and willfully ignored weaknesses in the computer system, including prior hacks, according to the class-action lawsuit filed in U.S. District Court.
"They haven't cleaned up their act, so to speak, or taken steps to see that the same injury isn't repeated again," said Steven Christensen, a Sandy attorney who filed the suit.
In addition to monetary damages, Christensen said the lawsuit seeks to reform the credit monitoring industry to better secure consumers' personal information.
Equifax revealed last week that personal data of as many as 143 million consumers might have been compromised. Hackers might have gained access to Social Security numbers, birth dates, addresses and driver's license numbers — information that could then use to steal people's identity.
The company did not immediately respond to an email request for comment.
The lawsuit alleges Equifax knew the data was being breached from May through July but didn't report it to the public until September.
Christensen said he believes there are more than 143 million customers whose information was compromised. He said he can "almost guarantee" that hundreds if not thousands of people have already had their identity stolen because of the breach.
"The long-term effects of this are what's really scary because a lot of times when criminals obtain information such as this, they don't use it immediately. They can hang onto it for a year or two," he said. "It literally takes people years and sometimes decades to clear up identity theft issues. This isn't something that's going to go away quickly."
Christensen said the $5 billion in damages is a reasonable amount given the amount of money Equifax makes as one of the three largest credit monitoring agencies in the country. The company recently signed a $2 billion contract with the government, he said.
Retail giant Target earlier this year agreed to pay an $18.5 million multistate settlement — the largest ever for a data breach — to resolve state investigations of the 2013 cyberattack that affected more than 41 million of the company's customer payment card accounts.
"This is like 100 times worse than that," Christensen said.
The plaintiffs in the case are Tom Partridge, and Zane and Jennifer Christensen, of South Jordan; Zachary Christensen, of Sandy; and Cameron Christensen, of Lehi. Steven Christensen said some of them are his sons. He said he expects "many, many" more plaintiffs to join the lawsuit.