On December 19, 2019 the court granted final approval a landmark $1.5 billion settlement concluding this data breach class action affecting more than 147 million people in the U.S. The settlement consists of a record-breaking $425 million in monetary and injunctive benefits and requires Equifax to spend $1 billion to upgrade its security and technology. 

On February 12, 2018, Cohen Milstein was appointed to the Consumer Plaintiffs' Steering Committee.

Case Background


On September 7, 2017, Equifax announced that a massive cybersecurity data breach had occurred in its data systems from mid-May through July 2017. This hack allowed criminals to access personally identifiable information (“PII”) such as names, Social Security numbers, birth dates, addresses, and driver’s license numbers, for millions of individuals. In addition, Equifax reported that the hackers gained access to approximately 209,000 customers’ credit card numbers, and had gained access to financial dispute documents containing PII for approximately 182,000 U.S. customers.

Equifax admitted that it discovered the unauthorized access on July 29, 2017, yet did not inform the public of this breach until more than a month later.

On September 8, 2017, Cohen Milstein filed a putative data privacy breach class action, Washburn, et al v. Equifax, Inc., Case No. 1:17-cv-03451-MHC, U.S. District Court, Northern District of Georgia, Atlanta Division, against Equifax. On May 14, 2018, Washburn was consolidated into In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800, Case No.: 1:17-md-2800-TWT, United States District Court for Northern District of Georgia, Atlanta Division.

The complaint alleges that Equifax’s wrongful conduct includes failing to take adequate and reasonable measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose the material facts that it did not have adequate computer systems and security practices to safeguard consumers’ financial and personal data, and failing to provide timely and adequate notice of the data breach.

The complaint further alleges that Equifax’s actions and failure to act when required has caused Plaintiffs and millions of others to suffer harm and/or face the significant risk of future harm, including but not limited to: a) unauthorized charges on their debit and credit card accounts; b) theft of their personal and financial information; c) costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts; d) loss of use of and access to their account funds; e) the imminent and certainly impending injury flowing from potential fraud and identify theft posed by their credit card and personal information being placed in the hands of criminals; and f) continued risk to their financial and personal information.

Plaintiffs seek to recover monetary damages, injunctive relief, and other remedies for violations of state statutes and the common law.