Yesterday Equifax revealed that they had a “cybersecurity incident” that potentially impacted about 143 million US consumers. Here’s how Equifax describes the breach:
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Equifax has set up a site — equifaxsecurity2017.com — where you can check if your information may have been compromised. You’ll be asked to enter your last name and last six digits of your social security number (which seems like a lot of information to give them, though I recognize that it’s probably one of the only ways they can filter things, given the number of people potentially involved).
Upon entering my information, I got a message saying that they believe that my personal information may have been impacted by this incident.
You’re then given a date where you can enroll for free in TrustedID Premier, in order to monitor your credit. Here’s how TrustedID Premier works:
The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.
Due to how many people are potentially impacted, they can’t even let everyone enroll right away, so they give you a date where you’ll be able to enroll.
Unfortunately Frequent Miler notes how Equifax’s “solution” to this may only make things worse. Arstechnica.com has the following to say about equifaxsecurity2017.com, which is the site that Equifax is directing people to who may be impacted by the breach:
The website www.equifaxsecurity2017.com/, which Equifax created to notify people of the breach, is highly problematic for a variety of reasons. It runs on a stock installation WordPress, a content management system that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn’t perform proper revocation checks. Worse still, the domain name isn’t registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people’s details. It’s no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.
Furthermore, while I’m not sure how binding this is in practice, Frequent Miler also notes how you’re waiving your right to sue Equifax in court or sign-up for any class action lawsuit if you sign-up for TrustedID Premier, per the terms:
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.
Update: Reader Rohan points out that the FAQs specifically indicate that the arbitration clause doesn’t apply to this cybersecurity incident.
I’m not much of a tech person, so I won’t claim to fully understand the inner workings of this. However, I plan to closely monitor my own credit with another service, and won’t be using Equifax’s TrustedID Premier offering, given how poorly they’ve handled this.
Were you impacted by the Equifax breach?