Equifax, one of the three largest credit reporting agencies in the United States, has been at the center of three major legal actions over the past decade — each involving a different failure, but the same institution. A 2017 data breach exposed the personal information of 147 million Americans. A 2022 coding glitch sent inaccurate credit scores to lenders for hundreds of thousands of consumers. And in January 2025, the Consumer Financial Protection Bureau ordered Equifax to pay a $15 million civil penalty for years of improper dispute investigations — the same category of failure regulators have been flagging since at least 2017. Each failure was distinct. The pattern is not.
Together, these legal actions represent the most consequential litigation history of any credit bureau in U.S. history. The 2019 settlement — $700 million, the largest data breach settlement at the time — set a benchmark. The 2025 CFPB action confirmed the problems persisted. Individual FCRA lawsuits continue to be filed in federal courts by consumers whose disputes Equifax allegedly ignored, whose deleted errors were reinserted, and whose credit scores were miscalculated by software that was never fixed.
- What: Three separate Equifax legal matters: (1) 2017 data breach class action settled for $700M; (2) 2022 credit score glitch class action; (3) January 2025 CFPB $15M penalty for improper dispute investigations
- Who: 147 million consumers (breach); approximately 300,000+ consumers (score glitch); millions of dispute filers (CFPB action) vs. Equifax, Inc. and Equifax Information Services LLC
- Status: Data breach settlement: final payments distributed 2025–2026; 2022 glitch class action: ongoing in federal court in Atlanta; CFPB consent order: issued January 17, 2025; individual FCRA claims: ongoing
- Injuries: Identity theft and fraud from exposed SSNs; loan denials and higher interest rates from miscalculated scores; financial harm from credit report errors Equifax refused to correct
- Settlement: $700M data breach settlement (up to $425M for consumers); $15M CFPB civil penalty (deposited to victims relief fund); NY AG $725,000 settlement
- Eligibility: 2017 breach: claim deadline passed January 22, 2024; free identity restoration services through January 2029; 2022 glitch: class action ongoing; individual FCRA claims: file within 2 years of discovery
- Key date: January 17, 2025 — CFPB ordered $15M penalty; April 16, 2026 — final data breach settlement payments distributed

Equifax Lawsuit Timeline and Updates
May–July 2017 — The Breach: 76 Days Inside Equifax’s Systems
Equifax was alerted to a critical vulnerability in its Apache Struts software on March 7, 2017, when Apache released a security patch for CVE-2017-5638. Equifax’s security team required the vulnerability be patched within 48 hours. It was not. Attackers first exploited the unpatched vulnerability on May 13, 2017, gaining access to Equifax’s online dispute portal — the system consumers use to contest credit report errors.
Attackers operated inside Equifax’s network for 76 days, until July 30, 2017, exfiltrating data continuously. The breach exposed:
- 145.5 million Social Security numbers
- 209,000 payment card numbers and expiration dates
- Names, dates of birth, and physical addresses for approximately 147 million people
- Driver’s license numbers for a subset of affected consumers
Equifax publicly disclosed the breach on September 7, 2017. The company’s stock dropped 13% the following day. Within days, reporting revealed that three Equifax executives had sold approximately $1.8 million in company shares between the breach’s internal discovery in late July and its public disclosure — triggering SEC and DOJ insider trading investigations. Former CIO Jun Ying was later charged and convicted for insider trading based on his sale of Equifax shares before the public disclosure.
2017–2019 — Federal and State Investigations
The FTC, CFPB, and 50 state attorneys general opened investigations. Congress held hearings. Then-CEO Richard Smith retired on September 26, 2017, facing pointed questions about why a known critical vulnerability went unpatched for months. The U.S. Department of Justice attributed the breach to four members of China’s People’s Liberation Army Unit 54th Research Institute — making the Equifax hack one of the first major data breaches formally attributed to Chinese military intelligence operations.
Maryland Attorney General Brian Frosh, at the 2019 settlement announcement, called the breach “one of the largest in U.S. history and perhaps the most dangerous” — because Social Security numbers and dates of birth, unlike credit card numbers, cannot be changed. Once exposed, they remain useful to identity thieves indefinitely.
July 22, 2019 — $700 Million Global Settlement
Equifax agreed to a global settlement with the FTC, CFPB, and all 50 states and territories. The total: up to $700 million. The structure:
| Fund | Amount | Purpose |
|---|---|---|
| Consumer relief fund | $300M (+ $125M additional) | Credit monitoring, cash payments, identity theft help |
| State AGs (48 states + DC + PR) | $175M | State enforcement and consumer restitution |
| CFPB civil penalty | $100M | CFPB victims relief fund |
Equifax also agreed to spend $1 billion improving its information security practices over five years — a technology investment mandate without precedent in data breach settlements at the time. The settlement was approved by U.S. District Court for the Northern District of Georgia, Case No. 1:17-md-02800-TWT, before Judge Thomas W. Thrash Jr.
January 22, 2024 — Consumer Claim Deadline Passed
The deadline for affected consumers to file claims for cash payments from the Equifax breach settlement passed on January 22, 2024. The original cash payment option — up to $125 per person for time spent dealing with fraud — was significantly diluted because too many consumers claimed it. The FTC recommended consumers choose the free credit monitoring option instead, which remained available through settlement channels.
The settlement administrator continued processing identity theft and fraud claims after the deadline. Final payments were distributed beginning in the fourth quarter of 2025 and continuing into 2026.
March–April 2022 — The Credit Score Glitch
A separate Equifax failure emerged in the spring of 2022. During a transition to a new cloud-based technology platform, an Equifax employee introduced a coding error affecting its legacy credit scoring model. From approximately March 6 to April 6, 2022 — a 31-day window — Equifax transmitted inaccurate credit scores to lenders across the country, including Wells Fargo, JPMorgan Chase, and Ally Financial.
Equifax acknowledged that approximately 300,000 consumers experienced a score shift of 25 points or more. Some consumers saw scores drop by as much as 130 points — enough to move a borrower from a “good” credit tier to a “fair” or “poor” tier. The Wall Street Journal, which broke the story in August 2022, reported that the affected calculations covered “about 12% of credit scores” pulled during the period.
The consequences were concrete. Consumers who applied for mortgages, auto loans, and credit cards during the glitch period faced: loan denials, higher interest rates, less favorable loan terms, forced application at secondary or subprime lenders at significantly greater cost. Lead plaintiff Nydia Jenkins, a Florida resident, was pre-approved for a car loan in January 2022 with an estimated $350 monthly payment. After her credit score dropped 130 points due to the glitch, she was denied the original loan and forced to finance through a “buy now” dealership — paying $252 bi-weekly, or $504 per month. Her annual cost increased by approximately $2,350 because of Equifax’s coding error.
August 2022 — Class Action Filed Over Score Glitch
Morgan and Morgan filed a class action against Equifax in the U.S. District Court in Atlanta on August 3, 2022, on behalf of Jenkins and all similarly situated consumers. The complaint alleged violations of the Fair Credit Reporting Act (FCRA), which requires consumer reporting agencies to follow reasonable procedures to ensure maximum possible accuracy of consumer report information. By late 2022, six additional plaintiffs from seven states had joined — all claiming scores were miscalculated by between 26 and 170 points, resulting in loan denials or less favorable terms. That class action remains pending.
January 2025 — New York AG Secures $725,000 for Coding Error Victims
New York Attorney General Letitia James announced a settlement with Equifax in January 2025 specifically addressing the 2022 coding error’s impact on New York consumers. Equifax agreed to pay $725,000 and implement additional monitoring safeguards. The settlement required Equifax to monitor incident reports filed by its customers at least once per week. The NY AG’s office found that more than 77,000 New Yorkers had their credit scores wrongly decline as a result of the glitch.
January 17, 2025 — CFPB Orders $15 Million Penalty for Dispute Investigation Failures
The Consumer Financial Protection Bureau issued a consent order against Equifax on January 17, 2025 — its most significant enforcement action against the company since the 2019 data breach settlement. The CFPB found Equifax had violated the Fair Credit Reporting Act through a pattern of conduct that the Bureau said had harmed consumers “to the detriment of millions” since at least October 2017.
The specific findings:
- Ignored consumer dispute evidence: When consumers submitted documentation to dispute errors on their reports, Equifax ignored the documents and failed to use them in its investigation.
- Reinserted deleted errors: After Equifax removed inaccuracies from credit reports following consumer disputes, those same errors were allowed to reappear on reports — “zombie errors” that returned after supposedly being corrected.
- Sent confusing investigation results: Letters to consumers about dispute outcomes were confusing and sometimes contradictory, making it impossible for consumers to understand what had been found or corrected.
- Flawed software produced wrong scores: Coding errors in Equifax’s internal software caused it to miscalculate and transmit inaccurate credit scores to lenders — affecting several hundred thousand consumers. Equifax also reported the same credit accounts multiple times for more than 50,000 consumers.
- Parroted furnisher responses: Instead of conducting independent investigations, Equifax routinely accepted lenders’ and debt collectors’ responses to disputes without reviewing the consumer’s side of the dispute — a practice critics call “parroting.”
CFPB Director Rohit Chopra stated: “Equifax failed in its basic duty to investigate and resolve consumer disputes about inaccurate information on their credit reports.” Equifax was ordered to pay a $15 million civil money penalty deposited to the CFPB’s victims relief fund, and to bring its dispute investigation practices into compliance with federal law. Equifax processes approximately 765,000 disputes per month — each one now subject to the renewed compliance requirements. The National Consumer Law Center’s Chi Chi Wu described Equifax’s dispute system as “Kafka-esque” — automated responses that always rule against the consumer without reviewing the facts.
April 16, 2026 — Data Breach Settlement Final Payments Distributed
Equifax confirmed that the court-appointed settlement administrator was distributing final payments in the data breach settlement beginning in the fourth quarter of 2025 and through the first half of 2026. Consumers who had claimed prepaid cards under the settlement received additional funds added to their cards in August 2025. The identity restoration benefit — free until January 2029 — remains available to breach victims even if they never filed a claim.
What the Pattern Reveals — Three Failures, One Institution
The Equifax legal record over the past decade tells a coherent story. The 2017 breach happened because Equifax failed to patch a known critical vulnerability for months. The 2022 score glitch happened because a coding error during a technology transition was not caught before it affected 300,000 consumers. The 2025 CFPB action documented conduct “since at least October 2017” — meaning the dispute investigation failures predate the breach announcement and continued through and after the $700 million settlement that was supposed to require corrective action.
What matters here is that Equifax processes data about virtually every adult American. Its credit reports determine whether you get a mortgage, what interest rate you pay on a car loan, and whether a landlord approves your application. When it makes errors — and the CFPB documented that it makes millions — the consequences fall entirely on consumers, not on Equifax. You cannot opt out of Equifax’s data collection. You did not choose to have your Social Security number in their system. And when they fail, you are the one denied the loan or forced to spend months disputing a zombie error that keeps coming back.
The legal record also reveals a structural problem: Equifax’s dispute investigation process is designed to favor furnishers — banks, lenders, and debt collectors who provide data to Equifax — over consumers who dispute that data. The CFPB’s term “parroting” describes exactly this dynamic: Equifax receives a consumer’s dispute, sends it to the furnisher, accepts the furnisher’s response without independent review, and tells the consumer their dispute was investigated and the information is accurate. The consumer loses the dispute. The furnisher wins. Equifax charges the furnisher for its data reporting services. The incentive structure has never aligned with the consumer’s interest in an accurate credit report.
Your Rights Under the FCRA — What Equifax Is Required to Do
The Fair Credit Reporting Act gives consumers specific rights when it comes to Equifax and credit reports. Equifax’s legal history demonstrates what happens when those rights are not honored — and what remedies exist.
| Your Right | Equifax’s Obligation | If Violated |
|---|---|---|
| Free credit report annually | Provide report within 15 days of request | Report violation to CFPB |
| Dispute inaccurate information | Investigate within 30 days; notify furnisher | Sue under FCRA; actual + punitive damages |
| Deleted errors stay deleted | No reinsertion without notice to consumer | Sue for damages; see Miller case ($1.62M award) |
| Statement of dispute in file | Include statement in future credit reports | Report to state AG and CFPB |
| Identity restoration (breach) | Free restoration services through Jan. 2029 | Contact settlement administrator directly |
The FCRA authorizes actual damages, statutory damages between $100 and $1,000 per violation, and punitive damages for willful violations. Attorney’s fees are available to prevailing plaintiffs. In the widely reported Miller case, a consumer who spent two years fighting Equifax over a credit report error that Equifax refused to correct — even after a lawsuit — received a $1.62 million verdict including punitive damages. The trial revealed that Equifax’s own representative testified it was company policy to investigate and correct files only after a lawsuit is filed. The judge noted the consumer was “frustrated, overwhelmed, angry, depressed, humiliated, fearful about misuse of her identity, and concerned for her damaged reputation” for two years.
What Consumers Can Still Do — Benefits That Remain Available
The claim filing deadline for cash payments in the data breach settlement passed on January 22, 2024. But two significant benefits remain available to affected consumers:
Free identity restoration services are available through January 2029 to anyone whose information was exposed in the 2017 breach — whether or not they ever filed a claim. To access this benefit, use the look-up tool at EquifaxBreachSettlement.com to confirm you were affected. The confirmation page provides a phone number and engagement number to reach free identity restoration specialists.
Individual FCRA lawsuits remain available for consumers who have experienced errors on their Equifax credit reports that Equifax failed to investigate and correct properly. The statute of limitations under the FCRA is two years from the date of the violation or five years from the date the violation occurred, whichever is earlier. Consumers who were affected by the 2022 score glitch and can document they applied for credit between March 6 and April 6, 2022, may still have viable claims if they have not previously settled.
The most practical first step for any consumer with an Equifax credit report error: dispute in writing by certified mail, not online. Consumer attorneys consistently note that paper disputes are more difficult for Equifax to ignore, create a documented record of the dispute date, and are harder to process through the automated system that the CFPB characterized as “Kafka-esque.” Similar to the dynamics in the DOT license dispute pattern, when a government agency has already documented the institutional failure, consumer claims have a factual foundation that pre-litigation disputes often lack.
What This Lawsuit Teaches Consumers
The Equifax litigation teaches a lesson about what happens when a company holds monopoly power over information that determines whether Americans can buy homes, finance cars, and access credit. Equifax did not earn your trust. You were placed in its database before you could consent, and you cannot leave it. When it fails — and the record shows it has failed repeatedly, in documented and legally adjudicated ways — you bear the cost.
The $700 million settlement did not fix the dispute investigation system. The CFPB had to come back six years later to fine Equifax $15 million for continuing the same category of violations. The settlement required $1 billion in security improvements. Equifax claims a 99.83% accuracy rate as of December 2024. That sounds impressive until you calculate what 0.17% means at the scale of 200 million+ consumer files: roughly 340,000 consumers with inaccurate information in their credit reports at any given time, under a regulator-accepted claim of improvement.
Check your credit reports. Dispute errors in writing. File complaints with the CFPB and your state attorney general when disputes are ignored. And understand that Equifax’s documented response to consumer disputes — the company testified in federal court that it investigates and corrects credit files only after a lawsuit is filed — is both a legal violation and a strategy. The system is designed to outlast you. The FCRA is designed to give you an alternative.
Read These
- Senate lawsuit provision repealed by the House
- Red Bull false advertising lawsuit
- Toyota driver data tracking class action
- SAVE student loan plan lawsuit dismissed
- Homeschool diploma Pennsylvania lawsuit
Frequently Asked Questions
What is the Equifax lawsuit?
The Equifax lawsuit refers to three legal actions: (1) the 2017 data breach class action settled for $700M; (2) class action lawsuits over Equifax’s 2022 credit score glitch affecting 300,000+ consumers; and (3) the January 2025 CFPB consent order imposing a $15M civil penalty for improper dispute investigations.
What is the current status of the Equifax lawsuit?
Final payments in the data breach settlement were distributed beginning late 2025 and into 2026. The CFPB consent order was issued January 17, 2025. The 2022 glitch class action remains pending in Atlanta federal court. Individual FCRA lawsuits continue to be filed.
What happened in the Equifax data breach?
From May 13 to July 30, 2017, hackers exploited an unpatched Apache Struts vulnerability in Equifax’s systems, accessing 145.5 million Social Security numbers, 209,000 payment card numbers, and names, dates of birth, and addresses for approximately 147 million Americans.
How much did Equifax pay to settle the data breach?
The 2019 settlement totaled up to $700 million: $425 million for consumer relief (credit monitoring, cash payments, identity theft services), $175 million to 48 states and territories, and $100 million to the CFPB as a civil penalty.
Can I still file a claim for the Equifax data breach?
The cash payment claim deadline was January 22, 2024. However, free identity restoration services remain available through January 2029 to anyone whose information was exposed in the 2017 breach, even if they never filed a claim. Use the look-up tool at EquifaxBreachSettlement.com.
What was the 2022 Equifax credit score glitch?
A coding error during Equifax’s transition to a new cloud platform in spring 2022 caused it to transmit inaccurate credit scores to lenders including Wells Fargo, JPMorgan Chase, and Ally Financial. Approximately 300,000 consumers experienced score shifts of 25+ points, some by as much as 130 points, leading to loan denials and higher interest rates.
Why did the CFPB fine Equifax $15 million in 2025?
The CFPB found Equifax: ignored consumer dispute documents and evidence; allowed deleted errors to be reinserted in credit reports; sent confusing and contradictory dispute outcome letters; used flawed software producing inaccurate scores; and accepted furnisher responses to disputes without independent review (‘parroting’).
How do I dispute an error on my Equifax credit report?
Dispute in writing by certified mail, not online. Include documentation supporting your dispute. Request a return receipt. Also file a complaint with the CFPB (consumerfinance.gov/complaint) and your state attorney general. If Equifax ignores your dispute, consult a consumer protection attorney about an FCRA lawsuit.
Can I sue Equifax individually for a credit report error?
Yes. The FCRA allows individuals to sue credit reporting agencies for actual damages, statutory damages of $100–$1,000 per willful violation, and punitive damages. Attorney’s fees are available to prevailing plaintiffs. The statute of limitations is 2 years from discovering the violation or 5 years from when it occurred, whichever is earlier.
What is the largest individual verdict against Equifax for a credit report error?
In a case where a consumer spent two years fighting Equifax over an error it refused to correct, a judge awarded $1.62 million including punitive damages. During trial, Equifax’s own representative testified it was company policy to investigate and correct credit files only after a lawsuit was filed.
Who was responsible for the Equifax data breach?
The U.S. Department of Justice formally attributed the 2017 Equifax breach to four members of China’s People’s Liberation Army, Unit 54th Research Institute, making it one of the first major consumer data breaches formally attributed to Chinese military intelligence.
What free services are still available from the Equifax data breach settlement?
Free identity restoration services, including specialized assistance dealing with identity theft and fraud from the breach, are available through January 2029. To access them, confirm your information was in the breach using the look-up tool at EquifaxBreachSettlement.com, then call the number provided on your confirmation page.
Leave a Reply