ebook img

In re Equifax Inc. Securities Litigation 17-CV-03463-Consolidated Class Action Complaint for PDF

198 Pages·2017·1.46 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview In re Equifax Inc. Securities Litigation 17-CV-03463-Consolidated Class Action Complaint for

Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 1 of 198 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION Consolidated Case No. IN RE EQUIFAX INC. SECURITIES 1:17-cv-03463-TWT LITIGATION CONSOLIDATED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 2 of 198 TABLE OF CONTENTS Page I. PRELIMINARY STATEMENT .....................................................................2 II. PARTIES .......................................................................................................10 A. Lead Plaintiff ...................................................................................... 10 B. Defendants .......................................................................................... 10 1. Equifax, Inc. ............................................................................. 10 2. Individual Defendants .............................................................. 12 III. JURISDICTION AND VENUE ....................................................................13 IV. SUMMARY OF THE FRAUD .....................................................................13 A. Equifax’s Business is to Collect and Sell Sensitive Personal Information About Global Consumers ............................................... 13 B. Defendants Knew that Securing the Information Equifax Collected Was Critical to the Company’s Business ........................... 16 C. Defendants Issue Statements Touting Cybersecurity, Compliance with Data Protection Laws and Regulations, and Certifying the Integrity of Equifax’s Internal Controls ..................... 24 1. Defendants Touted the Security of Equifax’s Data Systems’ and The Company’s Efforts to Protect Consumer Information ............................................................. 25 2. Defendants Assured Investors That Equifax Zealously Complied with Data Protection Laws, Regulations, and Industry Best Practices ............................................................. 27 i Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 3 of 198 3. Defendants Assured Investors That Equifax Had Adequate Internal Controls ...................................................... 28 D. In Truth, Equifax Failed to Adequately Secure and Protect Sensitive Consumer Information ........................................................ 29 E. Equifax Ignored Numerous Warnings That Its Data Protection Measures Were Inadequate to Protect Sensitive Information ............ 33 1. In 2013 and 2014 Equifax Experiences Breaches Due to Inadequate Cybersecurity ......................................................... 33 2. KPMG Flags Equifax’s Unsafe Encryption Practices ............. 35 3. Equifax’s “Attack Surface” Becomes Too Large to Defend ...................................................................................... 35 4. The W2Express Breach ............................................................ 36 5. Equifax Is Warned Repeatedly About Patching Deficiencies .............................................................................. 38 6. Throughout the Class Period Security Researchers Continue to Warn Equifax About Serious Cybersecurity Deficiencies, but These Warnings are Ignored ........................ 40 7. The LifeLock Breach ............................................................... 43 8. The TALX Breach ................................................................... 43 9. Equifax Hires Mandiant, But Ignores Its Advice .................... 46 F. Equifax’s Failure to Implement Basic Data Protection Measures Leads to The Massive Data Breach .................................................... 47 G. The Truth About Equifax’s Inadequate Cybersecurity Is Finally Revealed to Investors ......................................................................... 61 1. Revelations Affecting Trading on September 8, 2017 ............ 62 2. Revelations Affecting Trading on September 11, 2017 .......... 68 ii Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 4 of 198 3. Revelations Affecting Trading on September 13, 2017 .......... 72 4. Revelations Affecting Trading on September 14, 2017 .......... 77 5. Revelations Affecting Trading on September 15, 2017 .......... 80 H. Post-Class Period Developments ....................................................... 81 1. Smith Departs the Company Without Severance .................... 81 2. Defendants Have Now Admitted that There Were Numerous Serious Deficiencies in Equifax’s Data Security Posture ....................................................................... 82 3. Equifax’s Data Protection Measures Are Severely Criticized by Experts, Lawmakers, and Others ....................... 87 4. Equifax’s Business Continues to Experience Significant Harm As a Result of the Data Breach ...................................... 93 I. Equifax’s Data Protection Measures Were Grossly Inadequate, and Failed to Meet Either Basic Industry Standards or Applicable Legal Requirements ......................................................... 94 1. Equifax Failed to Implement an Adequate Patch Management Process and Routinely Failed to Address Known Vulnerabilities ............................................................. 95 2. Equifax Failed to Encrypt Sensitive Data .............................. 100 3. Equifax Failed to Implement Adequate Authentication Measures ................................................................................ 103 4. Equifax Failed to Adequately Monitor Its Networks ............ 107 5. Equifax Allowed Sensitive Data to be Easily Accessed On Public-Facing Servers and Also Failed to Partition It ..... 109 6. Equifax Inappropriately Relied on Outdated and Obsolete Security Systems and Software .............................................. 111 iii Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 5 of 198 7. Equifax Allowed Its “Attack Surface” to Balloon ................. 114 8. Equifax Allowed Unused Data to Accumulate on Vulnerable Systems and Failed to Dispose of Unneeded Data ........................................................................................ 115 9. Equifax Failed to Restrict Access to Sensitive Data ............. 116 10. Equifax Management Failed to Foster a Strong Security Culture and Ensure Adequate Training of Security Personnel ................................................................................ 118 11. Equifax Failed to Perform Adequate Security Reviews ........ 122 12. Equifax Failed to Develop an Adequate Data Breach Plan ... 124 V. ADDITIONAL ALLEGATIONS OF SCIENTER .....................................126 VI. DEFENDANTS’ MATERIALLY FALSE AND MISLEADING STATEMENTS ...........................................................................................139 A. Defendants’ Materially False and Misleading Statements Concerning Equifax’s Cybersecurity and the Company’s Efforts to Protect Consumer Information ......................................... 139 1. False and Misleading Statements Published on the Equifax Website ..................................................................... 139 2. Equifax’s SEC Filings ............................................................ 146 3. Equifax Investor Conferences and Presentations .................. 150 B. Defendants’ Materially False and Misleading Statements Concerning Equifax’s Compliance with Data Protection Laws, Regulations, and Industry Best Practices ......................................... 160 1. False and Misleading Statements Published on the Equifax Website ..................................................................... 160 2. Equifax’s SEC Filings ............................................................ 162 iv Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 6 of 198 C. Defendants’ False and Misleading Statements Concerning Equifax’s Internal Controls .............................................................. 166 VII. LOSS CAUSATION ...................................................................................168 VIII. PRESUMPTION OF RELIANCE ..............................................................176 IX. INAPPLICABILITY OF THE STATUTORY SAFE HARBOR ...............177 X. CLASS ACTION ALLEGATIONS ............................................................177 XI. COUNTS .....................................................................................................180 XII. PRAYER FOR RELIEF ..............................................................................185 XIII. JURY DEMAND .........................................................................................185 v Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 7 of 198 Lead Plaintiff Union Asset Management Holding AG (“Union”) brings this action under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) on behalf of itself and all other similarly situated purchasers of the securities of Equifax, Inc. (“Equifax” or the “Company”) from February 25, 2016 through September 15, 2017, inclusive (the “Class Period”). Lead Plaintiff alleges the following upon personal knowledge as to itself and its own acts, and upon information and belief as to all other matters. Lead Plaintiff’s information and belief is based on, among other things, the independent investigation of Court-appointed Lead Counsel Bernstein Litowitz Berger & Grossmann LLP. This investigation included, among other things, a review and analysis of: (i) Equifax’s public filings with the SEC; (ii) public reports and news articles; (iii) research reports by securities and financial analysts; (iv) transcripts of Equifax’s investor calls; (v) economic analyses of securities movement and pricing data; (vi) consultations with relevant experts; and (vii) other publicly available material and data identified herein. Lead Counsel’s investigation into the factual allegations contained herein is continuing, and many of the facts supporting the allegations contained herein are known only to the Defendants or are exclusively within their custody or control. Lead Plaintiff believes that further substantial evidentiary support will exist for the allegations contained herein after a reasonable opportunity for discovery. Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 8 of 198 I. PRELIMINARY STATEMENT 1. This case is about the massive gulf between what Defendants said about cybersecurity and what they actually did. For example, during the Class Period, Equifax stated: As a trusted steward of consumer and business information, Equifax employs strong data security and confidentiality standards on the data we provide and on the access to that data. We maintain a highly sophisticated data information network that includes advanced 1 security, protections and redundancies. Equifax also stated that the Company: [P]rotect[s] the privacy and confidentiality of personal information about consumers. . . . Safeguarding the privacy and security of information, both online and offline, is a top priority for Equifax. And Equifax’s former CEO, Defendant Smith, reassured investors that: Data security is . . . top of mind. . . . [I] feel like we’re in really good shape. 2. Contrasting these statements are analyses of the realities of Defendants’ cybersecurity during the Class Period. For instance, the Institute for Critical Infrastructure Technology, a prominent cybersecurity think tank, concluded: A breach of Equifax systems was inevitable. . . [B]ecause the C-suite exhibited . . . a lack of cyber-hygiene, and a disregard for information security training and qualified personnel. Likewise, a November 2017 Forbes article quoted cybersecurity expert 1 Unless otherwise noted, any emphasis in quotations contained in this Complaint is added. 2 Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 9 of 198 Wes Moehlenbruck’s conclusion that: The real problem was a very poor focus on information security at the highest levels of the company – what we call C-level. 3. Defendants Equifax, Smith, Gamble, Ploder and Dodge made numerous additional false and misleading statements and omissions about the Company’s efforts to safeguard the highly sensitive personal information at the core of the Company’s business, the vulnerability of its internal systems to a cyberattack, and its compliance with applicable data protection laws and cybersecurity best practices. As detailed herein, and contradicting its public disclosures, Equifax failed to take basic steps to protect the Company from intrusions and data theft, and ignored warnings from consultants, independent security researchers, and others that its cyberdefenses were woefully inadequate to protect the exceedingly valuable information the public had entrusted to it. As a result of Defendants’ misconduct, hackers penetrated Equifax’s systems in March of 2017, resulting in the largest and most devastating security breach in American history (the “Data Breach”). Personal information belonging to more than 148 million Americans – half the country’s adult population – was compromised in the attack. However, even when, in July 2017, Equifax discovered that its highly sensitive databases had been compromised Defendants concealed this crucial information from investors and the public. Finally, beginning on September 7, 2017, Equifax began to disclose facts revealing 3 Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 10 of 198 the profound inadequacy of the Company’s cybersecurity, causing Equifax’s stock price to tumble and wiping out billions in shareholder value. 4. Equifax’s business consists almost exclusively of collecting, aggregating and selling the sensitive personal data of individual consumers. Equifax repeatedly acknowledged that maintaining such information on its computer networks made it a highly-visible target for hackers and other criminals seeking to obtain and leverage that information. 5. Defendant Smith, Equifax’s former CEO, personally acknowledged the risks associated with the Company’s possession of massive amounts of consumer data and told investors that the Company’s ability to protect its database “it’s my number one worry, obviously.” Similarly, Defendant Dodge, Equifax’s Director of Investor Relations, assured investors that, given the importance of data security to Equifax, unlike other businesses that sell “hammers,” if Equifax had a data breach, “we’re not in too good a shape out of that, right? So data security and how we go about ensuring that is something we spend a lot of time and effort on.” 6. In statements like those quoted above, Defendants sought to reassure investors and the public about Equifax’s ability to protect the personal information of hundreds of millions of consumers and repeatedly touted the Company’s commitment to, and the strength and integrity of, its cybersecurity program. 7. Those statements, and the many like them detailed in this Complaint, were false. As a result of Equifax’s disastrously inadequate cybersecurity, investors 4

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.