Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 1 of 198 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION IN RE EQUIFAX INC. SECURITIES Consolidated Case No. LITIGATION 1:17-cv-03463-TWT CONSOLIDATED CLASS ACTION COMPLAINT FOR VIOLATIONS OF THE FEDERAL SECURITIES LAWS Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 2 of 198 TABLE OF CONTENTS Page I. PRELIMINARY STATEMENT .....................................................................2 II. PARTIES .......................................................................................................10 A. Lead Plaintiff ...................................................................................... 10 B. Defendants .......................................................................................... 10 1. Equifax, Inc. ............................................................................. 10 2. Individual Defendants .............................................................. 12 III. JURISDICTION AND VENUE ....................................................................13 IV. SUMMARY OF THE FRAUD .....................................................................13 A. Equifax’s Business is to Collect and Sell Sensitive Personal Information About Global Consumers ............................................... 13 B. Defendants Knew that Securing the Information Equifax Collected Was Critical to the Company’s Business ........................... 16 C. Defendants Issue Statements Touting Cybersecurity, Compliance with Data Protection Laws and Regulations, and Certifying the Integrity of Equifax’s Internal Controls ..................... 24 1. Defendants Touted the Security of Equifax’s Data Systems’ and The Company’s Efforts to Protect Consumer Information ............................................................. 25 2. Defendants Assured Investors That Equifax Zealously Complied with Data Protection Laws, Regulations, and Industry Best Practices ............................................................. 27 i Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 3 of 198 3. Defendants Assured Investors That Equifax Had Adequate Internal Controls ...................................................... 28 D. In Truth, Equifax Failed to Adequately Secure and Protect Sensitive Consumer Information ........................................................ 29 E. Equifax Ignored Numerous Warnings That Its Data Protection Measures Were Inadequate to Protect Sensitive Information ............ 33 1. In 2013 and 2014 Equifax Experiences Breaches Due to Inadequate Cybersecurity ......................................................... 33 2. KPMG Flags Equifax’s Unsafe Encryption Practices ............. 35 3. Equifax’s “Attack Surface” Becomes Too Large to Defend ...................................................................................... 35 4. The W2Express Breach ............................................................ 36 5. Equifax Is Warned Repeatedly About Patching Deficiencies .............................................................................. 38 6. Throughout the Class Period Security Researchers Continue to Warn Equifax About Serious Cybersecurity Deficiencies, but These Warnings are Ignored ........................ 40 7. The LifeLock Breach ............................................................... 43 8. The TALX Breach ................................................................... 43 9. Equifax Hires Mandiant, But Ignores Its Advice .................... 46 F. Equifax’s Failure to Implement Basic Data Protection Measures Leads to The Massive Data Breach .................................................... 47 G. The Truth About Equifax’s Inadequate Cybersecurity Is Finally Revealed to Investors ......................................................................... 61 1. Revelations Affecting Trading on September 8, 2017 ............ 62 2. Revelations Affecting Trading on September 11, 2017 .......... 68 ii Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 4 of 198 3. Revelations Affecting Trading on September 13, 2017 .......... 72 4. Revelations Affecting Trading on September 14, 2017 .......... 77 5. Revelations Affecting Trading on September 15, 2017 .......... 80 H. Post-Class Period Developments ....................................................... 81 1. Smith Departs the Company Without Severance .................... 81 2. Defendants Have Now Admitted that There Were Numerous Serious Deficiencies in Equifax’s Data Security Posture ....................................................................... 82 3. Equifax’s Data Protection Measures Are Severely Criticized by Experts, Lawmakers, and Others ....................... 87 4. Equifax’s Business Continues to Experience Significant Harm As a Result of the Data Breach ...................................... 93 I. Equifax’s Data Protection Measures Were Grossly Inadequate, and Failed to Meet Either Basic Industry Standards or Applicable Legal Requirements ......................................................... 94 1. Equifax Failed to Implement an Adequate Patch Management Process and Routinely Failed to Address Known Vulnerabilities ............................................................. 95 2. Equifax Failed to Encrypt Sensitive Data .............................. 100 3. Equifax Failed to Implement Adequate Authentication Measures ................................................................................ 103 4. Equifax Failed to Adequately Monitor Its Networks ............ 107 5. Equifax Allowed Sensitive Data to be Easily Accessed On Public-Facing Servers and Also Failed to Partition It ..... 109 6. Equifax Inappropriately Relied on Outdated and Obsolete Security Systems and Software .............................................. 111 iii Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 5 of 198 7. Equifax Allowed Its “Attack Surface” to Balloon ................. 114 8. Equifax Allowed Unused Data to Accumulate on Vulnerable Systems and Failed to Dispose of Unneeded Data ........................................................................................ 115 9. Equifax Failed to Restrict Access to Sensitive Data ............. 116 10. Equifax Management Failed to Foster a Strong Security Culture and Ensure Adequate Training of Security Personnel ................................................................................ 118 11. Equifax Failed to Perform Adequate Security Reviews ........ 122 12. Equifax Failed to Develop an Adequate Data Breach Plan ... 124 V. ADDITIONAL ALLEGATIONS OF SCIENTER .....................................126 VI. DEFENDANTS’ MATERIALLY FALSE AND MISLEADING STATEMENTS ...........................................................................................139 A. Defendants’ Materially False and Misleading Statements Concerning Equifax’s Cybersecurity and the Company’s Efforts to Protect Consumer Information ......................................... 139 1. False and Misleading Statements Published on the Equifax Website ..................................................................... 139 2. Equifax’s SEC Filings ............................................................ 146 3. Equifax Investor Conferences and Presentations .................. 150 B. Defendants’ Materially False and Misleading Statements Concerning Equifax’s Compliance with Data Protection Laws, Regulations, and Industry Best Practices ......................................... 160 1. False and Misleading Statements Published on the Equifax Website ..................................................................... 160 2. Equifax’s SEC Filings ............................................................ 162 iv Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 6 of 198 C. Defendants’ False and Misleading Statements Concerning Equifax’s Internal Controls .............................................................. 166 VII. LOSS CAUSATION ...................................................................................168 VIII. PRESUMPTION OF RELIANCE ..............................................................176 IX. INAPPLICABILITY OF THE STATUTORY SAFE HARBOR ...............177 X. CLASS ACTION ALLEGATIONS ............................................................177 XI. COUNTS .....................................................................................................180 XII. PRAYER FOR RELIEF ..............................................................................185 XIII. JURY DEMAND .........................................................................................185 v Case 1:17-cv-03463-TWT Document 49 Filed 04/23/18 Page 7 of 198 Lead Plaintiff Union Asset Management Holding AG (“Union”) brings this action under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) on behalf of itself and all other similarly situated purchasers of the securities of Equifax, Inc. (“Equifax” or the “Company”) from February 25, 2016 through September 15, 2017, inclusive (the “Class Period”). Lead Plaintiff alleges the following upon personal knowledge as to itself and its own acts, and upon information and belief as to all other matters. Lead Plaintiff’s information and belief is based on, among other things, the independent investigation of Court-appointed Lead Counsel Bernstein Litowitz Berger & Grossmann LLP. This investigation included, among other things, a review and analysis of: (i) Equifax’s public filings with the SEC;
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages198 Page
-
File Size-