(Reuters) - Massachusetts Attorney General Maura Healey filed a lawsuit on Tuesday against credit reporting firm Equifax Inc EFX.N following a breach that exposed the personal data of up to 143 million people, including 3 million in the state.

Senator Elizabeth Warren, a Massachusetts Democrat, called the breach a “nightmare” and said credit reporting companies should not profit from monitoring or freezing credit arising from the hack.

Equifax said the massive breach of sensitive data, including Social Insurance Numbers, might affect about 100,000 Canadians.

Equifax’s share price has fallen by about one-third since it disclosed the data breach, among the largest ever recorded, which included sensitive data like Social Security numbers, on Sept. 7.

Equifax shares closed up 0.5 percent at $94.87.

The lawsuit seeks civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees.

“Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again,” Healey said in a statement.

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

Equifax spokesman Wyatt Jefferies declined to comment on the lawsuit, but said in a email that the company wanted to reassure consumers of its focus on helping them to “navigate this situation.”

“The Equifax hack is a nightmare,” Sen. Warren said on the Senate floor. “At best, it is a giant hassle. Time on hold with credit reporting agencies. Fees for this service or that service. Confusion about what’s been stolen and what to do about it.”

Warren said it was inappropriate for Equifax to collect credit card information with an eye to later charging people for credit monitoring. “No one in this industry should profit from this hack,” she said.

Equifax has waived fees for removing and placing security freezes through Nov. 21.

Equifax, in its statement issued before Warren’s remarks, said it was aware that consumers were unhappy about glitches on its website and their difficulty in reaching call centers.

“We are experiencing a high volume of requests for security freezes,” spokesman Jefferies said, adding that Equifax was working diligently to improve customer service.

Hackers broke into Equifax’s database via a section of the company’s website where consumers dispute inaccurate information. On that portal, Equifax maintained consumer names, addresses, Social Security numbers and other sensitive information on at least 143 million consumers without encrypting it, the Massachusetts complaint says.

The data is deemed sensitive because consumers use it to prove creditworthiness when they want to buy homes or cars. But it can also be used by thieves to illegally apply for credit under consumers’ names.

The breach and the company’s response to it is being investigated by the Justice Department, the Federal Trade Commission and a group of about 40 state attorneys general. Additionally, Equifax Chief Executive Richard Smith is expected to testify on Oct. 3 before a House of Representatives panel.

Equifax said last week that it would likely need to contact fewer than 400,000 British consumers whose personal information might have been accessed in the breach.