How To See If You Were Impacted By Equifax’s Major “Cybersecurity Incident”

Yesterday Equifax revealed that they had a “cybersecurity incident” that potentially impacted about 143 million US consumers. Here’s how Equifax describes the breach:

Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.

Equifax has set up a site — equifaxsecurity2017.com — where you can check if your information may have been compromised. You’ll be asked to enter your last name and last six digits of your social security number (which seems like a lot of information to give them, though I recognize that it’s probably one of the only ways they can filter things, given the number of people potentially involved).

Upon entering my information, I got a message saying that they believe that my personal information may have been impacted by this incident.

You’re then given a date where you can enroll for free in TrustedID Premier, in order to monitor your credit. Here’s how TrustedID Premier works:

The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.

Due to how many people are potentially impacted, they can’t even let everyone enroll right away, so they give you a date where you’ll be able to enroll.

Unfortunately Frequent Miler notes how Equifax’s “solution” to this may only make things worse. Arstechnica.com has the following to say about equifaxsecurity2017.com, which is the site that Equifax is directing people to who may be impacted by the breach:

The website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

Wow…

Furthermore, while I’m not sure how binding this is in practice, Frequent Miler also notes how you’re waiving your right to sue Equifax in court or sign-up for any class action lawsuit if you sign-up for TrustedID Premier, per the terms:

This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.

Update: Reader Rohan points out that the FAQs specifically indicate that the arbitration clause doesn’t apply to this cybersecurity incident.

The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.

I’m not much of a tech person, so I won’t claim to fully understand the inner workings of this. However, I plan to closely monitor my own credit with another service, and won’t be using Equifax’s TrustedID Premier offering, given how poorly they’ve handled this.

Were you impacted by the Equifax breach?

Comments

  1. Very useful information, Ben. I had already heard similar facts on a radio show this morning.

    Accordingly, I’m taking the more direct route of freezing my credit rating with all three outfits, as recommended (for years) by Clark Howard and others:

    http://clark.com/personal-finance-credit/credit-freeze-and-thaw-guide/

    For those of you who apply for, say, new credit cards more frequently than I do, it might be annoying, but I already have PINS to “unfreeze” my rating with Equifax and Experian. The TransUnion website tells me to come back later.

  2. Not sure if I’m effected this time around but should I really freeze my credit like I’ve read on a couple articles? Red flag it? Any negatives for doing either of those things?

  3. Ben, the FAQ section of the website set up by Experian specifies that the waiver of class action suit rights does not apply to this incident. The relevant section is pasted below, from the FAQ page:
    “The arbitration clause and class action wavier included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident.”

  4. Put this at the top !!!

    Unfortunately Frequent Miler notes how Equifax’s “solution” to this may only make things worse. Arstechnica.com has the following to say about equifaxsecurity2017.com, which is the site that Equifax is directing people to who may be impacted by the breach:

  5. @Michelle, Please see my post above and read the article I posted. Consumer Reports and others make similar recommendations but do your own due diligence. Some may have to pay $10 per agency to freeze and again to unfreeze. I didn’t but would consider it a reasonable investment.

    It’s also a way of letting Equifax and the others know I’m not happy with them at the moment.

    YMMV.

    Cheers,
    Fredd

  6. Keep in mind, Equifax is trying to shove people into an arbitration “agreement” for using this service. There is at least one class action against them now, and this could kill your ability to sue them in a real court and/or participate in a class action. That is a bad thing. You can, however, opt out.

    Check this article:

    https://www.washingtonpost.com/news/the-switch/wp/2017/09/08/what-to-know-before-you-check-equifaxs-data-breach-website/?utm_term=.de6f7e3f3c36

  7. I got hit by the Federal Office of Personnel Management breach a few years ago and have been in an ID monitoring system. All it does is alert you when certain events occur. You have to go back in and investigate what each thing is about.

    Personally, I think these companies and agencies need to be held personally liable for these breaches. They CAN be prevented. I know as a former Program Manager for Security for national critical infrastructure. These companies just do not want to spend the money. They need to be shown that a breach like this will put them out of business. Equifax should be liquidated and the proceeds distributed to the victims.

  8. What about doing fraud alert instead? At the Transunion sure it advises this as a less drastic alternative: “A fraud alert is a good alternative for many consumers. It directs the credit report recipient to contact the consumer at a number the consumer provides before granting credit.” Seems easy and cheaper. Any thoughts?

  9. What I find almost as annoying as the breach itself is the response they provided after I gave them the last 6 of my SSN: “You MAY have been compromised.” That doesn’t tell me anything more than I already knew prior to providing the requested info.
    You MAY have cancer.
    Your home MAY be destroyed by a hurricane.
    I’m making light of neither life threatening diseases nor natural disasters – Equifax is compounding an already frustrating situation here. Their execs selling off millions in company stock last month adds insult to injury.

  10. 143 million. Every adult in the USA who has ever had contact with a financial institution or insurance company (even health insurance) has been compromised.

  11. @Michelle – regarding the choice to freeze your credit report: I’ve had my credit reports frozen for more than 10 years now. I was an ID theft victim, so freezing and temporarily lifting my reports is free for me. It will cost those who were not ID theft victims up to $10 per bureau to place a freeze, and then $10 again per bureau to temporarily lift in whenever you want to apply for credit. (It’s less than $10 in some states.)

    It is somewhat of a pain to temporarily lift the freeze, because I am able to do it online with only one bureau. One other one requires a phone call, and the other a letter. Technically they all allow online temporary freeze lifts, but realistically the bureaus are slimey sh!ts who do everything they can to make life difficult for you (unless you pay for a credit monitoring service through them – then they magically become very helpful, you get to talk to a representative quickly, etc).

    BUT, with regard to this specific Equifax breach: the problem is that data such as drivers license numbers has been stolen. The way you would get a credit bureau to lift a freeze if you’d forgotten your PIN is to write to them with a copy of your drivers license and one other piece of ID, such as a utility bill. So, if someone has your SSN and your drivers license number, it would be trivial for them to write to all three credit bureaus requesting a lift of the freeze. Of course, criminals probably don’t bother to do that because it’s easier to target people who *don’t* have a freeze in place. But the bottom line is that a freeze is by no means an airtight protection against ID theft.

  12. Certified Information Systems Auditor here.
    Do NOT use the lookup tool.
    It is on a web site that is not appropriately secured and has already been hacked.
    AND, as noted above, it requires you to sign away your rights to join a class action and submit to arbitration.
    This is the sleaziest thing I’ve ever seen a corporation attempt to get away with.
    Be vigilant on your credit reports, but it is clear that Equifax is going to do very little to really help solve this problem, they are only trying to profit from it.

  13. Few things:

    This is due to business friendly scumbags in congress and their minions who vote for them. If there was appropriate penalty on the companies this would not happen so often. The cost is passed from the business and borne by the consumer in typical red state scumbag politics.

    The freezing and unfreezing of credit reports should be made free after this DATA breach and mandated by Congress.

  14. @Debit – +1 to all that.

    And I’d add that Congress needs to pass strong consumer protection legislation NOW that includes severe penalties for companies and individuals who do not adequately protect sensitive personal information. As it is now, as I understand it, there is actually very little basis for a class action suite against Equifax because they didn’t really break any laws.

  15. Put this at the top !!! Or at least hide the link to the site at the bottom so your readers hopefully read the entire article before clicking and providing info to the compromised site!! Just screwed myself, thanks.

    Unfortunately Frequent Miler notes how Equifax’s “solution” to this may only make things worse. Arstechnica.com has the following to say about equifaxsecurity2017.com, which is the site that Equifax is directing people to who may be impacted by the breach:

  16. According to CNBC some executives bought large put options on the company stock AFTER the hack was discovered but BEFORE the news was broken. Not surprisingly the stock price is down a lot.

    If it turns out to be true, I hope those executives are prosecuted for insider dealing. On the fact of it, that’s a disgusting thing for them to do.

  17. “On the fact of it, that’s a disgusting thing for them to do.”

    Well, gee, if you are ethically challenged enough to be in charge of a predatory company whose sole purpose is to sell other people’s data (that they don’t want you to have, and that they can’t opt out of you having) to the highest bidder, it’s hardly surprising that you would act in the slimiest way possible when it’s discovered that you have been utterly negligent in your responsibility to protect the public.

  18. So maybe I’m just stupid but if I had already completed the registration am I skrewed or is it if I was to actually complete the registration on the registration day when the period opens up?

  19. Luckily I am not impacted. However I tried to enroll into their program and the link is not working. It takes me back to the very 1st page where I have to enter my last name/SSN/Verify and after that when I hit enroll, it takes me to a different page where I hit continue enrolling and then it brings me back to the page where it asks me to enter my last name/SSN/Verify.

    I will try later.

  20. but it is clear that Equifax is going to do very little to really help solve this problem, they are only trying to profit from it.

    Are you kidding? Thee’s a reason the stock was down $20 today, and is likely going lower.

    Want all your credit cards changed as a result of this? The bill will go the Equifax. Reminds me of Heartland Payment Systems.
    Try changing your SS# !! Once per lifetime.
    Equifax is going to be on the hook for a very, very long time.

  21. Yet another disgusting display of greed, negligence, and bank control of our lives, And we wonder why leftist movements arise? Has no one learned from history?

  22. The biggest fail of their form is that it doesn’t even do anything. You can put in your pet’s name and “123456” and it will tell you that your information may have been affected. I would think that since they’re a credit reporting agency, then if you have a SSN you “may” have been affected. That’s not rocket science …

  23. I wish I had read your whole article before clicking on the link to protect my information. Now I feel that I gave away too much info to somebody that may not even be Equifax! How about not putting a questionable link right up front and then later warning people that it may not be safe to use it.

  24. Right ,,,like im going to send out my SS number to people who can’t be trusted in any way to secure it,,,,

Leave a Reply

Your email address will not be published. Required fields are marked *