I took Equifax to small claims. When that didn't pay up, I appealed and removed to higher courts. I continued doing this until it wasn't worth it for me. I think I cost Equifax a total of at least $20K USD. They had to keep flying lawyers back and forth from Atlanta to where I lived and put them in hotels.
I think I got them to spend more than I would have received in any settlement.
Fun note, my judge in small claims dismissed my case but said the following before dismissing it, "Mr. tuxxy, I would not trust Equifax with my dog's vaccination records. I'm absolutely appalled in the lack of protections Equifax provides for the personal data of Americans, however I'm afraid I don't see a case for negligence..."
She lectured Equifax's lawyers a bit on what a shitty offer credit monitoring was for the loss of my PII for a bit, then sent us out.
I trolled their legal team a bit near the end and tried to settle for $3.50 after mediation failed, but I wanted them to refer to the $3.50 as "tree-fiddy" in the settlement, but they refused. Oh well...
I can write about it on my personal website. Maybe I'll submit it here some time. I'm afraid it's not that interesting other than the emails of me trolling them.
I wish more people took them to court. It was not difficult to do and is quite an effective form of direct action because they have to spend quite a bit of money to fight it.
I second this! I'm sure there's lots of people on HN who would find this really useful. There's so little corporate accountability that individual legal action might actually prove significant. And as far as applying economic pressure, a ton of small-claims cases could prove more costly than a single class-action suit (and hence provide more deterrence).
Thirded. It could really have an effect to write about it and give this more attention, with perhaps a call to action to do likewise (and why that might be good).
Whenever I have worked somewhere and someone has complained and got no where, as soon as they lawyer up it goes to the top of the pile, 200% vip treatment!
"In choosing the $3.50 figure, I wanted to ensure it was a number that was inconsequential to a legitimate user of the service. That's about what a latte costs at my local coffee shop so spending a few bucks a month to search through billions of records seems like a pretty damn good deal, especially when that rate limit enables 57.6k requests per day."
>The actors I've seen taking advantage of it are highly unlikely to front up with a credit card and provide what amounts to personally identifiable data (i.e. make a credit card payment) in order to mass enumerate the API.
Unless they just steal a credit card. Not unlikely, given who we're talking about here.
That's ridiculous, they were hacked through Struts CVE-2018-11776 that was discovered a month before the hack, if appointed security officer was monitoring CVE lists for their software, this would be patched.
Moreover, their DLP system was offline for the period of hack due to certificate expiration.
IANAL, but there was a clear case of negligence.
-- ed:
There were winning cases against equifax. the payout was awarded for the damages - 3 years of credit counceling and monitoring, something in $6k range.
Since software is involved, it is basically impossible for any court to ever judge a company guilty of negligence. There are no standards for software. No licensed engineers they could fail to hire, no industry mandated practices they could fail to follow, nothing. Even when Toyota's outrageous negligence killed dozens of people in their 'unintended acceleration' scandal, the actual negligence claims failed. That's very bad, because it is exactly those negligence claims that provide the best motivators to corporate executives when building critical infrastructure. A guilty verdict for negligence when building a bridge or road or similar can easily result in executives in real prison cells. But if a computer is involved, they know they don't need to worry. Their main worry then becomes the potential punitive damages awarded by juries, but that's just a monetary penalty and even those usually aren't larger than what it would cost for them to do things like hire experienced software engineers, give those engineers control over product scheduling, provide them with the tools they need, etc.
I think I got them to spend more than I would have received in any settlement.
Fun note, my judge in small claims dismissed my case but said the following before dismissing it, "Mr. tuxxy, I would not trust Equifax with my dog's vaccination records. I'm absolutely appalled in the lack of protections Equifax provides for the personal data of Americans, however I'm afraid I don't see a case for negligence..."
She lectured Equifax's lawyers a bit on what a shitty offer credit monitoring was for the loss of my PII for a bit, then sent us out.
I trolled their legal team a bit near the end and tried to settle for $3.50 after mediation failed, but I wanted them to refer to the $3.50 as "tree-fiddy" in the settlement, but they refused. Oh well...