Past Cases

In Re Equifax, Inc., Customer Data Security Breach Litigation

Status Past Case

Practice area Consumer Protection

Court U.S. District Court, Northern District of Georgia

Case number 1:17-md-02800-TWT


On January 13, 2020, U.S. District Judge Thomas W. Thrash Jr. granted final approval a landmark $1.5 billion settlement concluding this data breach class action affecting more than 147 million people in the U.S. The settlement consists of a record-breaking $425 million in monetary and injunctive benefits and requires Equifax to spend $1 billion to upgrade its security and technology. 

In his ruling, Judge Thrash noted that the settlement was “the largest and most comprehensive recovery in a data breach case in U.S. history by several orders of magnitude.” He continued, “Additionally, the court finds that much of the relief afforded by the settlement likely exceeds what could be achieved at trial, and, taken as a whole the settlement represents a result that is at the high end of the range of what could be achieved through continued litigation.” He concluded by commending plaintiffs’ lawyers, “The plaintiffs’ lawyers undertook extraordinary litigation risk in pursuing this case and investing as much time and effort as they did,” Judge Thrash added. “Moreover, the amount of work devoted to this case by class counsel likely was a principal reason that they were able to obtain such a favorable settlement at a relatively early stage.”

On February 12, 2018, Cohen Milstein’s Andrew N. Friedman was court-appointed to the Consumer Plaintiffs’ Steering Committee. He was also appointed Co-Chair of the Expert Committee.

Case Background

On September 7, 2017, Equifax announced that a massive cybersecurity data breach had occurred in its data systems from mid-May through July 2017. This hack allowed criminals to access personally identifiable information (“PII”) such as names, Social Security numbers, birth dates, addresses, and driver’s license numbers, for millions of individuals. In addition, Equifax reported that the hackers gained access to approximately 209,000 customers’ credit card numbers, and had gained access to financial dispute documents containing PII for approximately 182,000 U.S. customers.

Equifax admitted that it discovered the unauthorized access on July 29, 2017, yet did not inform the public of this breach until more than a month later.

On September 8, 2017, Cohen Milstein filed a putative data privacy breach class action, Washburn, et al v. Equifax, Inc., Case No. 1:17-cv-03451-MHC, U.S. District Court, Northern District of Georgia, Atlanta Division, against Equifax. On May 14, 2018, Washburn was consolidated into In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800, Case No.: 1:17-md-2800-TWT, United States District Court for Northern District of Georgia, Atlanta Division.

The complaint alleges that Equifax’s wrongful conduct includes failing to take adequate and reasonable measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose the material facts that it did not have adequate computer systems and security practices to safeguard consumers’ financial and personal data, and failing to provide timely and adequate notice of the data breach.

The complaint further alleges that Equifax’s actions and failure to act when required has caused Plaintiffs and millions of others to suffer harm and/or face the significant risk of future harm, including but not limited to: a) unauthorized charges on their debit and credit card accounts; b) theft of their personal and financial information; c) costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts; d) loss of use of and access to their account funds; e) the imminent and certainly impending injury flowing from potential fraud and identify theft posed by their credit card and personal information being placed in the hands of criminals; and f) continued risk to their financial and personal information.

Plaintiffs seek to recover monetary damages, injunctive relief, and other remedies for violations of state statutes and the common law.