A US judge has given the go-ahead for a set of consolidated lawsuits against credit agency Equifax regarding its 2017 mega-hack.

In a series of orders handed down in a Georgia federal district court on Monday, the evocatively named Judge Thomas Thrash Jr said that legal challenges from payment card issuers and ordinary citizens can proceed against Equifax. A class-action lawsuit brought by ten “small businesses” – which included corporations and limited liability companies – was denied, though. The small biz owners can join in with the consumers.

In effect, payment card issuers are going ahead as one set of lawsuits, and normal folk are bunched into another set, against Equifax. The credit agency had sought to dismiss the claims against it.

The lawsuits were all filed after the credit reference agency admitted in 2017 that some 148 million personal records – including a mix of names, social security numbers, taxpayer ID numbers, and credit card numbers and expiry dates – were stolen by database hackers.

In court documents, Thrash highlighted the “unprecedented” scale of the breach, the fact Equifax is responsible for information on more than 820 million individuals and 91 million businesses, and that it had bragged about its security credentials while having demonstrably poor basic maintenance techniques.

The small businesses claimed they had been harmed due to their owners’ personal data (rather than that of the businesses) being compromised, arguing that this “jeopardized” the creditworthiness of the owners and thus the firms. But the judge said they failed to show injury other than to the owners as individuals, that the alleged injuries “are too speculative,” and that a chain of events would need to occur for the small businesses to suffer actual damage.

Card floggers and consumers good to go

The financial institutions said that the data breach caused them harm because it impacted both their organisations and the mechanisms they use to authenticate customers. They argued they have spent extra time and money in the aftermath of the hack: responding to the compromise of the credit reporting system, and the leak of personal information they rely on for their business; on assessing the impact of the breach; and on mitigating what they say is a substantial risk of future fraudulent activity.

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory READ MORE

Some 23 financial houses also alleged they had issued payment cards that were compromised in the breach, and had spent time and money reissuing these payment cards and reimbursing customers.

The judge ruled that the card issuers can go ahead with their case on the grounds that the banks have incurred concrete costs as a result of the breach and in refunding fraudulent charges. But other financial associations cannot proceed, because they have alleged only "generic and abstract" injuries.

The consumer group, made up of 96 people and seeking to represent more, said they were suffering a “present, immediate, imminent, and continuing increased risk of harm” after their personal information was exposed.

The court ruled that Equifax did owe those plaintiffs a duty of care to safeguard personal information, and that the plaintiffs’ argument that the the biz knew of “severe deficiencies” in their systems but didn’t act was sufficient to allege bad faith on the part of Equifax. ®