The state of Indiana is suing Equifax over a massive cyberattack in 2017 that affected nearly 148 million people, including almost 4 million Hoosiers, Attorney General Curtis Hill's office said.

The lawsuit says Equifax, one of the nation's three major credit bureaus, failed to protect the Indiana residents whose personal information was exposed by the breach. The company's leaders chose "increasing revenue over protecting the safety of consumers' sensitive personal information," Hill said.

The civil case was announced by Hill's office during a press conference and in a news release on Monday.

“Hoosiers trust us to work hard every day to ensure their safety and security," Hill said in the release. "This action against Equifax results from an extensive investigation, and we will continue our diligent efforts to protect consumers from illegal or irresponsible business activities.”

IndyStar has reached out to Equifax for comment on the lawsuit.

The digital break-in occurred between May 13, 2017, and July 30, 2017, according to the lawsuit. Equifax said the data breach primarily compromised names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers, USA Today reported.

The suit says Equifax announced the breach on September 7, 2017. The company said in a press release that it experienced a "cybersecurity incident potentially impacting 143 million U.S. consumers." The company later revealed that millions more consumers were affected, according to the suit.

The case comes amid a pending class-action lawsuit filed in December 2017 over the data breach. The suit says the millions of consumers affected by the breach remain subject to the risk of identity theft and fraud due to the attack.

Among other things, Hill's lawsuit accuses the Atlanta-based company of delaying investment in its technology and accumulating outdated systems in order to drive revenue and profit. The suit says the aging systems contributed to a number of prior data breaches, including breaches of Indiana residents' consumer information in 2010, 2012 and 2014.

The suit says Equifax's leadership was slow to respond to a report that revealed significant flaws in how it upgraded its software to fix bugs.

The 2015 audit found that the company's existing controls weren't "adequately designed to ensure Equifax systems are securely configured and patched in a timely manner," according to the suit. Company officials responded to the audit, the suit says, by directing its IT staff to develop a plan to fix the vulnerabilities.

The deadline was scheduled for more than a year after the audit, the suit said.

Amid the fallout from the breach, Equifax CEO and Chairman Richard Smith retired in September 2017. He'd served as the company's chief executive since 2005.

Smith was among three top officials at the company whose retirements were announced within a period of eleven days, according to the lawsuit. Chief Information Officer Susan Mauldin and Chief Security Officer David Webb also left the company.

After the cyberattack was disclosed, Smith told a U.S. House subcommittee the company had known before the attack about a computer software vulnerability that required updating.

A Government Accountability Office report requested by U.S. Sen. Elizabeth Warren, D-Massachusetts, and U.S. Rep. Elijah Cummings, D-Maryland, highlighted Equifax-provided information showing the attack lasted for approximately 76 days before it was discovered, USA Today reported.

USA Today contributed to this report.

Contact IndyStar reporter Crystal Hill at 317-444-6094 or cnhill@gannett.com. Follow her on Twitter: @crysnhill.