San Francisco first city in U.S. to sue Equifax for failing to protect 15M Californians

San Francisco's City Attorney on Tuesday filed a lawsuit against credit reporting company Equifax for failing to protect the personal data of more than 15 million Californians.

San Francisco is the first city in the country to sue Equifax over the massive data breach that compromised the personal information of 143 million U.S. consumers. The company disclosed the breach on Sept. 7, six weeks after it learned its system had been compromised. The suit was filed in San Francisco County Superior Court.

"Equifax's incompetence would be comical if the subject matter weren't so serious," Dennis Herrera said in a statement. "This company fell asleep at the switch and upended the lives of millions of people. The information that Equifax failed to safeguard is what people need to open a bank account, buy a home or rent an apartment. Now Californians have been put at risk of identity theft for years to come."

In an email sent to KTVU, Equifax wrote: "We cannot comment on pending litigation, but want to reassure consumers that we are remaining focused on helping them navigate the situation and providing the best customer support possible. We are listening to issues consumers have experienced and their suggestions, which are helping to further inform our actions as we continue to improve this process."

Also on Tuesday, Equifax ousted CEO Richard Smith in an effort to clean up the mess. Paulino do Rego Barros Jr. was named interim CEO, while board member Mark Feidler was appointed non-executive chairman.

According to San Francisco's lawsuit, Equifax:
-- failed to implement and maintain reasonable security procedures and practices
-- failed to provide timely notice of the data breach to affected California consumers
-- failed to provide complete, plain and clear information

The lawsuit seeks restitution for California consumers, civil penalties of up to $2,500 per violation of the law, and a court order requiring Equifax to implement and maintain appropriate security procedures for the highly sensitive information it handles.

Equifax Inc. is providing a year of free protection against identify theft for anyone who wants it, but some lawmakers are trying to pressure the company into extending that offer for the next decade. Some experts say that still isn't enough to guard against identify theft and are advising consumers to put a freeze on their files at Equifax, Experian and TransUnion to prevent anyone from getting a loan under their names.

Equifax collects names, phone numbers, addresses, social security numbers, dates of birth, financial account information and other data for 820 million consumers worldwide.

However, it uses an open-source software called Apache Struts on its website. Equifax didn't install a freely available "patch" to fix a vulnerability with the software after that security problem was detected and publicly announced on March 7, by various organizations, the suit contends. Herrera is alleging that Equifax could have prevented the data breach by implementing the free patches and fixes provided by the Apache Software Foundation in March 2017.

"When you're dealing with highly sensitive information, keeping your software up to date is such a basic step," Herrera said in a statement. "Equifax also could have encrypted this information or segmented the data in separate databases to prevent hackers from being able to access all of a person's information at once. Equifax did none of that."