Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.
Q: What happened?
A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.
Q: What about the rest of the money in the settlement?
A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.
Q: $650 million seems like a lot. Is that some kind of record?
A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.
Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?
A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.
The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.
Q: Okay. What can I do?
A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.
Q: Uh, that doesn’t look like Equifax’s site…
A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.
Q: What can I get out of this?
A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:
–Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.
–Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.
–Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.
Q: Does this cover my kids/dependents, too?
A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.
Q: How do I take advantage of any of these?
A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.
Update: The eligibility site is now active, at this link.
The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.
KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.
He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).
We’ll see how this unfolds, but I’ll be amazed if anything related to taking advantage of this settlement is painless. I still can’t even get a free copy of my credit report from Equifax, as I’m entitled to under the law for free each year. I’ve even requested a copy by mail, according to their instructions. So far nothing.
But let’s say for the sake of argument that our questioner is basically right — that this settlement breaks down to about $3 worth of flesh extracted from Equifax for each affected person. The thing is, this figure probably is less than what Equifax makes selling your credit history to potential creditors each year.
In a 2017 story about the Equifax breach, I quoted financial fraud expert Avivah Litan saying the credit bureaus make about $1 every time they sell your credit file to a potential creditor (or identity thief posing as you). According to recent stats from the New York Federal Reserve, there were around 145 million hard credit pulls in the fourth quarter of 2018 (it’s not known how many of those were legitimate or desired).
But there is something you can do to stop Equifax and the other bureaus from profiting this way: Freeze your credit files with them.
A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you. And it’s now free for all Americans.
This post explains in detail what’s involved in freezing your files; how to place, thaw or remove a freeze; the limitations of a freeze and potential side effects; and alternatives to freezes.
What’s wrong with just using credit monitoring, you might ask? These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.
If past experience is any teacher, anyone with a freeze on their credit file will need to briefly thaw their file at Equifax before successfully signing up for the service when it’s offered. Since a law mandating free freezes across the land went into effect, all three bureaus have made it significantly easier to place and lift security freezes.
Probably too easy, in fact. Especially for people who had freezes in place before Equifax revamped its freeze portal. Those folks were issued a numeric PIN to lift, thaw or remove a freeze, but Equifax no longer lets those users do any of those things online with just the PIN.
These days, that PIN doesn’t play a role in any freeze or thaw process. To create an account at the MyEquifax portal, one need only supply name, address, Social Security number, date of birth, any phone number (all data points exposed in the Equifax breach, and in any case widely available for sale in the cybercrime underground) and answer 4 multiple-guess questions whose answers are often available in public records or on social media.
And so this is yet another reason why you should freeze your credit: If you don’t sign up as you at MyEquifax, someone else might do it for you.
What else can you do in the meantime? Be wary of any phone calls or emails you didn’t sign up for that invoke this data breach settlement and ask you to provide personal and/or financial information.
And if you haven’t done so lately, go get a free copy of your credit report from annualcreditreport.com; by law all Americans are entitled to a free report from each of the major bureaus annually. You can opt for one report, or all three at once. Either way, make sure to read the report(s) closely and dispute anything that looks amiss.
It has long been my opinion that the big three bureaus are massively stifling innovation and offering consumers so little choice or say in the bargain that’s being made on the backs of their hard work, integrity and honesty. The real question is, if someone or something eventually serves to dis-intermediate the big three and throw the doors wide open to competition, what would the net effect for consumers?
Obviously, there is no way to know for sure, but a company that truly offered to pay consumers anywhere near what their data is actually worth would probably wipe these digital dinosaurs from the face of the earth.
That is, if the banks could get on board. After all, the banks and their various fingers are what drive the credit industry. And these giants don’t move very nimbly. They’re massively hard to turn on the simplest changes. And they’re not known for quickly warming to an entirely new model of doing business (i.e. huge cost investments).
My hometown Sen. Mark Warner (D-Va.) seems to suggest the $650 million settlement was about half what it should be.
“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”
Sen. Warner sponsored a bill along with Sen. Elizabeth Warren (D-Ma.) called “The Data Breach Prevention and Compensation Act,” which calls for “robust compensation to consumers for stolen data; mandatory penalties on credit reporting agencies (CRAs) for data breaches; and giving the FTC more direct supervisory authority over data security at CRAs.
“Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information,” Warner’s statement concludes.
Update, 4:44 pm: Added statement from Sen. Warner.
Is the secure.equifax… website secure? Or is there a safer way to do this?
I just looked the sites certificate and it looks fine.
I want to know if someone breached me
I just tried the online form and it doesn’t work. I guess that I’ll have to mail in my form.
Are these settlement payments taxable?
“Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment.”
That doesn’t seem to be quite true. I tried to sign up for the payment, but the website requires you to “certify that I have credit monitoring and will have it for at least 6 months from today.” I’ve had credit monitoring in the past because of other breaches, and it was useless. What happens if you check that box and you don’t currently have credit monitoring?
Credit karma is free
Frankly, I have to agree with Senator Warren here that the consequences should be particularly steep. I have no desire for Equifax or any of the credit bureaus to track and store my personal information, yet there appears to be no way to “opt out” of this system. My only recourse is to figure out which action will extract the most flesh and proceed accordingly. Signing up for the laughable credit monitoring services, then freezing my credit for the next lifetime.
I need to now if i quantify for the lawsuit o your company. What more of my information send me know. please
Update: The eligibility site is now active, at this link. <==
or provide me with your name, address, DOB, SSN, Bank routing number and bank account number and i will take care of this for you.
That sounds like a great idea! Will you also deposit the money straight into my account??
I found out my information was breached. However it seem as though my credit wasn’t frozen and no new claims or credit lines were opened. Does this breach leave me open for future identify theft?
My information had been breached and so far this year I have had my Social Security sent to another bank and I had to go to the Social Security office to prove who I am to get it to be put back in my bank account. A month or so later I got an email advising that it was requested that my pension be sent to another bank. I have spent hours on the phone and sent letter requesting all of my accounts go on lockdown and now if I want anything done to my accounts, I have to write a letter because I cannot do any of it online anymore. To file my taxes I have to have a PIN number. I have no paperwork because I went to the office of Social Security and called Washington about my pension. Do I qualify to be compensated. I was given Equifax monitoring after the Chinese data breach years ago and my information had been breached.
So, after reading this article, I decided to sign on to my.equifax. I already have/had freezes on all three reporting agencies – Transunion, Experion and Equifax, but I was concerned about your warning that someone else could sign on and lift my freeze. Anyway, despite jumping through all their hoops, they couldn’t verify my identity, so I asked for them to mail a security code. It arrived today; I entered it; then I tried to log on to go to the dashboard or whatever they called it and it said I had to call “customer care” center. I spoke with a nice young man and I feel bad that he’s working for Equifax. He had me jump through more hoops including the date of when I first placed the freeze with Equifax (back in 2015); emailed me a link to change my password. After 32 minutes on the phone, I still could not log on. He said their security people would email me within TWO WEEKS! I told him not his fault, but I HATE Experian. They absolutely need to be terminated. No one could be worse!
You HATE Experian or Equifax…? This article is about Equifax. Are you sure you were trying to login to the correct site?
Can I simply say what a comfort to find an individual who genuinely knows what they are talking about over the internet.
You definitely know how to bring an issue to light and make
it important. A lot more people must check this out and understand this
side of the story. I can’t believe you’re not more popular given that you definitely possess the gift.
Can I dispute Transunion as well
Giving 6 digits of your SS number is a great way to get hacked. They should call this Equifaux.
Thanks for checking ‘Mike’. Has anyone else been able to ‘verify’ this is a legitimate process?
Does Brian Krebs monitor this site? There’s one dangerous comment in here !
If you’re scared to follow the links in the article, just visit FTC.gov in your browser.
and the moneys gone. For the $125 at least. https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-pick-free-credit-monitoring
Trying to submit comments against the FTC response to getting our $125 (saying we basically won’t get it and should trust Equifax) (https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-pick-free-credit-monitoring#comment-961750) I got a “CAPTCHA session reuse attack detected.” error and “Thanks! Your comment has been submitted for review.” when I was just submitting one comment.
I tried the “service” and don’t at all like it.
Option one, you can get 4 years of 3-bureau credit monitoring provided by Experian, plus 6 additional years of Equifax monitoring by Experian.
Option two: cash payment of up to $125 if you certify you have or will have within 6 months, credit monitoring.
Option three: you can be compensated at $25/hour for up to 20 hours spent trying to recover from fraud or identity theft caused by the data breach. (good luck proving either)
Option four: If you lost or spent money recovering from fraud or identity theft cause by Equifax, you can be reimbursed up to $20,000.
If Experian confirms your data was likely lost, but you’ve not suffered damages or loss, it seems you’re entitled to jack squat, screw you very much, you’ve been “serviced”, goodbye. There are apparently no actual consequences for this data breach unless a “customer” lost money, had their identity stolen or time was spent, i.e., no punitive damages recoverable from Experian. Business as usual for these crooks.
Can you file a claim for a deceased loved one who was affected?
How safe is it to submit SSN on the annual credit report site? The consumer affairs page for it has horrible reviews about it. https://www.consumeraffairs.com/online/annualcreditreport_com.html
Either this CA site has bogus reviews or ACR site is not secure.
Do I need to change my account number/credit cards/SSN? Like what was really released so I can decide what I should or don’t need to change, and will i be safe after these changes?