Just the latest setback for the credit reporting firm.
Massachusetts Attorney General Maura Healey filed a lawsuit on Tuesday against credit reporting firm Equifax Inc following a breach that exposed the personal data of up to 143 million people, including 3 million in the state.
Equifax said on Tuesday that themassive breach of sensitive data might affect about 100,000 Canadians.
“The information that may have been breached includes name, address, Social Insurance Number and, in limited cases, credit card numbers,” Equifax said in a statement.
Equifax’s share price has fallen by about one-third since it disclosed the data breach, among the largest ever recorded, which included sensitive data like Social Security numbers, on Sept. 7.
Equifax shares rose almost 0.6% to $94.92 in early-afternoon trading.
“Equifax knew about the vulnerabilities in its system for months, but utterly failed to keep the personal information of nearly three million Massachusetts residents safe from hackers,” said Healey said in a statement.
“Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again,” Healey added.
The lawsuit seeks civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees.
Equifax spokesman Wyatt Jefferies declined to comment on the lawsuit, but said in a email that the company wanted to reassure consumers of its focus on helping them to “navigate this situation and providing the best customer support possible.”
Hackers broke into Equifax’s database via a section of the company’s website where consumers may dispute inaccurate information. On that portal, Equifax maintained consumer names, addresses, Social Security numbers and other sensitive information on at least 143 million consumers without encrypting it, the complaint says.
Get Data Sheet, Fortune’s technology newsletter.
The data is deemed sensitive because consumers use it to fprove creditworthiness when they want to buy homes or cars. But it can also be used by thieves to illegally apply for credit under consumers’ names.
The breach and the company’s response to it is being investigated by the Justice Department, the Federal Trade Commission and a group of about 40 state attorneys general. Additionally, Equifax CEO Richard Smith is expected to testify on Oct. 3 before a House of Representatives panel.
Equifax said last week that it would likely need to contact fewer than 400,000 British consumers whose personal information might have been accessed in the breach.