22
Jul 19

What You Should Know About the Equifax Data Breach Settlement

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the rest of the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $650 million seems like a lot. Is that some kind of record?

A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.

Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?

A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.

Q: Uh, that doesn’t look like Equifax’s site…

A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:

Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.

Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.

Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.

Q: Does this cover my kids/dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

Update: The eligibility site is now active, at this link.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.

He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).

ANALYSIS

We’ll see how this unfolds, but I’ll be amazed if anything related to taking advantage of this settlement is painless. I still can’t even get a free copy of my credit report from Equifax, as I’m entitled to under the law for free each year. I’ve even requested a copy by mail, according to their instructions. So far nothing.

But let’s say for the sake of argument that our questioner is basically right — that this settlement breaks down to about $3 worth of flesh extracted from Equifax for each affected person. The thing is, this figure probably is less than what Equifax makes selling your credit history to potential creditors each year.

In a 2017 story about the Equifax breach, I quoted financial fraud expert Avivah Litan saying the credit bureaus make about $1 every time they sell your credit file to a potential creditor (or identity thief posing as you). According to recent stats from the New York Federal Reserve, there were around 145 million hard credit pulls in the fourth quarter of 2018 (it’s not known how many of those were legitimate or desired).

But there is something you can do to stop Equifax and the other bureaus from profiting this way: Freeze your credit files with them.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you. And it’s now free for all Americans.

This post explains in detail what’s involved in freezing your files; how to place, thaw or remove a freeze; the limitations of a freeze and potential side effects; and alternatives to freezes.

What’s wrong with just using credit monitoring, you might ask? These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

If past experience is any teacher, anyone with a freeze on their credit file will need to briefly thaw their file at Equifax before successfully signing up for the service when it’s offered. Since a law mandating free freezes across the land went into effect, all three bureaus have made it significantly easier to place and lift security freezes.

Probably too easy, in fact. Especially for people who had freezes in place before Equifax revamped its freeze portal. Those folks were issued a numeric PIN to lift, thaw or remove a freeze, but Equifax no longer lets those users do any of those things online with just the PIN.

These days, that PIN doesn’t play a role in any freeze or thaw process. To create an account at the MyEquifax portal, one need only supply name, address, Social Security number, date of birth, any phone number  (all data points exposed in the Equifax breach, and in any case widely available for sale in the cybercrime underground) and answer 4 multiple-guess questions whose answers are often available in public records or on social media.

And so this is yet another reason why you should freeze your credit: If you don’t sign up as you at MyEquifax, someone else might do it for you.

What else can you do in the meantime? Be wary of any phone calls or emails you didn’t sign up for that invoke this data breach settlement and ask you to provide personal and/or financial information.

And if you haven’t done so lately, go get a free copy of your credit report from annualcreditreport.com; by law all Americans are entitled to a free report from each of the major bureaus annually. You can opt for one report, or all three at once. Either way, make sure to read the report(s) closely and dispute anything that looks amiss.

It has long been my opinion that the big three bureaus are massively stifling innovation and offering consumers so little choice or say in the bargain that’s being made on the backs of their hard work, integrity and honesty. The real question is, if someone or something eventually serves to dis-intermediate the big three and throw the doors wide open to competition, what would the net effect for consumers?

Obviously, there is no way to know for sure, but a company that truly offered to pay consumers anywhere near what their data is actually worth would probably wipe these digital dinosaurs from the face of the earth.

That is, if the banks could get on board. After all, the banks and their various fingers are what drive the credit industry. And these giants don’t move very nimbly. They’re massively hard to turn on the simplest changes. And they’re not known for quickly warming to an entirely new model of doing business (i.e. huge cost investments).

My hometown Sen. Mark Warner (D-Va.) seems to suggest the $650 million settlement was about half what it should be.

“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner sponsored a bill along with Sen. Elizabeth Warren (D-Ma.) called “The Data Breach Prevention and Compensation Act,” which calls for “robust compensation to consumers for stolen data; mandatory penalties on credit reporting agencies (CRAs) for data breaches; and giving the FTC more direct supervisory authority over data security at CRAs.

“Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information,” Warner’s statement concludes.

Update, 4:44 pm: Added statement from Sen. Warner.

Tags:

128 comments

  1. Thanks for clarifying that even with PIN I need to set up acct at myEquifax. Did that and noticed my acct still frozen so I was gratified by that.

    What is NOT clear to me is if I need to do something with the other 3 credit agencies. When Brian wrote about the freeze I obtained pins from all 4 agencies which was well before the EqFax breach. My acct’s have been frozen for many years.

    So do the others agencies have a similar arrangement whereby someone can fraudulently set up an account in my name even tho I have already frozen with a PIN?

  2. The CRA’s are terrible stewards of our data. And not only from cybersecurity perspective, but business perspective. Constantly selling our data. Wonder why you get 15 mortgage mailers when shopping for a home? Or if your a business owner applying for commercial loan and suddenly you get called 8 times from other lenders the day you applied for a loan with a single lender. Internally, they are selling leads to hundreds of lenders based on your personal credit information. These are not hard/soft pulls, since it’s the CRA’s themselves pulling the data and selling the lead including lots of PII information. It’s called trigger leads. They will spin it as giving the consumer options. Their lobbyists wrote the CCPA.

    Also… on another note… If FB wants to complete their data, they just need to buy Experian or Equifax or TU. Just kidding….

  3. Why do you keep writing ‘Americans’? Plenty of foreigners have SSNs, since you need one to get paid (think students and visa and green card holders, for example)

  4. Will those affected in the UK benefit?

  5. It always amazes me how many readers will ask questions or complaints already answered in the body of an article or in previous comments.

    • We call that a “Komodo Dragon”, based on the Bob and Ray routine: https://www.youtube.com/watch?v=gZEyvwhjcFk

    • Exploit this equifaxdatabreach website to see what data they are mining…. NEVER give a website SIX digits of your SSN!!!!

      On the Last Name Social Security Number page:
      Name: SMITH (Or Jones, or Johnson, or Garcia)
      SSN: Mash the top 6 digits on your number pad (798476579877897654687646549874654)

      DING DING DING YOU QUALIFY!!!!!
      On the next page, provide this website with THE REST OF YOUR IDENTITY!!!!!!

  6. BetterOffDead

    I want my $2!

    Thanks for the info.

  7. And as of today, right now, their website still has an F rating for security. If that doesn’t tell you anything about their lack of commitment to security, nothing can.
    https://www.ssllabs.com/ssltest/analyze.html?d=equifax.com

  8. They should have been sued out of existence. That actually might provide some incentive to implement decent security. Instead, they will simply pass on the cost of the fine to their customers who buy our data who will then, in turn, pass their increased costs on to us.

  9. Question:

    In the FTC link, it says you can get reimbursed “For the time you spent dealing with the breach. You can be compensated $25 per hour up to 20 hours.”

    Does this include the time you spent researching about the breach, how it affect you, your spouse, and your kids? Is that a reimbursable number of hours of time?

    -Thanks for any guidance!

  10. send me my mail at 411 Martin Luther King Blvd Gretna Florida 32332 are my brother at 850-544-7380 he can find me Thank you and have a good day.

  11. What a joke when you consider Equifax’s annual revenue for 2018 was $3.412B. There’s little to no punishment for breaches like this and companies will continue to turn a blind eye to security because it’s extra money they could be saving.

    • What do you mean? That fine is 19% of their annual revenue. That’s a MASSIVE fine. GDPR’s max fine is 4% of annual global turnover to my knowledge.

      • Do you think for one second that the fine will impact anything in anyone’s lives there? No CEO will go without his double douche latte and puff pastry while riding in his private jet. The fine has no meaning other than to Allow them to pay a bribe to not go to jail.

      • Do you really think that’s going to impact how Equifax does business any differently? Do you honestly think this fine will change anything? I don’t, this will just be swept under the rug and breaches like these will continue to happen with minimum impact to the business.

  12. Fool if you think it's over!

    So like Facebook the punishment is just another months salary and done. Cheaper to pay the fine than fix the problem.
    I hear trucking companies do the same thing – pay the overweight fines rather than pay for more trucks and drivers on the road to haul the same amount of product.
    The company only pays only if they get caught.

    Why should a company pay out for security if the penalty for not having is cheaper?

    Meanwhile the taxpayer\consumer is left holding the bag.

    • “Just another month’s salary”

      Equifax has an annual revenue of $3.1B, which means a month’s salary would be ~$258.3M. They are being fined $650M. To put it into perspective: that’s 21% of their annual income. That most certainly is not a slap on the wrist. Do they deserve it? Absolutely… and then some (in my opinion). However, we can’t be so naive to think that fine isn’t going to impact them. Think of it this way, if you budgeted $1,000 for your rent out of a total of $4,000 a month you receive–assuming that same fine of 21%–you now would make $3,160 a month and still have the same payment of your rent (on top of the other expenses). Will you still make your rent? Sure. However, you most definitely are going to need to stretch that money a lot further and cut costs in your budget elsewhere to make up the difference to accommodate your other expenses.

      • The difference is they can make up that money by increasing the cost of their product they are selling to their consumers where as we cannot increase our salary or charge more for our time spent making said income. Could we work OT (if hourly), sure but we are still paying with our time. The consumer always pays.

    • “I hear trucking companies do the same thing – pay the overweight fines rather than pay for more trucks and drivers on the road to haul the same amount of product.
      The company only pays only if they get caught.”

      I don’t know where you “heard” that load of nonsense or what it has to do with Equifax but you are completely wrong.

      Read up on the facts before helping to spread false information like that statement.

  13. A while back I did the freeze at all four companies. I have a note where I jotted down a 16 digit unfreeze number (4 sets of 4), but, stupid me, I did not wrote down which company it was for. Any ideas which company uses a 16 digit unfreeze PIN?

  14. I tried to access My Equifax yesterday only to have it lock my account. Called customer service and was told the site is being updated and this is a known problem that has been occurring for about a month. I’m dumbfounded at their IT failure if this is the case. (Maybe it’s intentional to prevent people from freezing their credit from the new coverage?) Either way, this is one company I would be happy to see dismantled. Love the reporting Brian, keep it up.

  15. At least the CEO is well taken care of:
    As Chief Executive Officer at EQUIFAX INC, Mark W. Begor made $20,013,712 in total compensation. Of this total $1,009,615 was received as a salary, $806,833 was received as a bonus, $3,372,803 was received in stock options, $14,473,853 was awarded as stock and $350,608 came from other types of compensation. This information is according to proxy statements filed for the 2018 fiscal year.

    Any way he should kick in a few bucks as restitution or is that too harsh?

    • James, that’s way too harsh! We can’t expect the fearless leader, who is in no way at fault for the breach, have to pay their own money (sarcasm). In all honesty though, I don’t see why part of the fines wouldn’t be to have the CEOs pay restitution like you said. Maybe that’s the wake up call these people need. It wouldn’t be fair if the company gets fined like they did and the CEO still is sitting pretty with a cool several million a year.

  16. So I just got off the phone with the settlement administrator people. Apparently in the coming week or so there will be a tool on their site that will allow people to determine/confirm if they were affected by the breach.

    I hope that tool doesn’t end up leaking more data…

  17. chris robbins

    More FUD. I see nothing on the Settlement website that mentions ‘$250 in compensation without documentation.’ It mentions 4 years of free credit monitoring by Experian (be still my heart) or $125. I’m no mathematician but I think $125 is half of $250.

    You can still do the “up to $20,000” comp thing at $25/hr but that requires full documentation of the time and money you spent and/or the losses you incurred.

    • chris robbins

      Apologies to the article’s author. I think I got the $250 number from an obviously erroneous article on Market Watch and didn’t read this one carefully enough. The correct number ($125) is mentioned here clear as day. Anyone know how to delete posts?

  18. Haven't been hacked yet

    Tried setting up a new freeze online – they couldn’t verify my identity so I requested they send me a one time code via US mail. We’ll see how this plays out. I’m not expecting much, just the same ole, same ole game. I do agree with some (many) these dino’s should be sent to the tar pits and replaced by something that is fair to consumers and is not setup to only profit corporate America. Hope my other freezes are intact and safe. Brian, let us know if we need to be concerned about the other CRA players.

  19. After the breech, I put a freeze in place at Equifax, Experian, and TransUnion. Equifax was free, the others $10 each (this was before Congress made them free). I also did that for my wife, so we’re out $40 and about an hour of my time. Can I recover the code for the freezes?

  20. You gotta prove how you were negatively affected by the breach to receive settlement, yet Equifax can’t prove that your data is safe. Ok.

  21. I have done everything they told me to so that my credit and ID can be protected. Yes, I put a freeze on my credit as well … however it isn’t stopping these people from getting an ID with my name and information, then renting an apartment and not pay rent … they get evicted and BAM $5,889 against my credit. Police can/will not do anything. I was told to contact my local PD, local PD said to contact PD of where the person rented the apartment … and it goes back and forth. So far 2 apartments that I am aware of. So this has impact on more than just credit cards in your name! But yeah $2.00 should make it all disappear!!!

  22. Please note that while the site serving eligibility.equifaxbreachsettlement.com currently shows an A+ rating, https://www.ssllabs.com/ssltest/analyze.html?d=eligibility.equifaxbreachsettlement.com, this says nothing about the protection of back-end data.

  23. Great article as always, Brian!

    Sen. Mark Warner has the right of it. As long as the players are shielded by incorporation, probably nothing will change. A corporation is like a machine, with the honesty and emotions of a machine, so don’t expect much. If that $650M came out of top management salaries, bonuses, and perks, I bet things would change for the better within a fiscal quarter…

  24. I have been posting on this forum for some time about an issue. The credit bureau companies use a standard set of security questions. As Krebs points out in the article above those multiple-guess questions are pulled from public information.
    I read about a web site that offers up the answers to many of those questions free of charge. No requirement to register or provide credit card info to acquire those answers. I learned about the web site while reading regular mainstream media. The articles expressed concern from law enforcement not wanting their street addresses becoming known to those they arrested. It lists every previous address a person has lived at (does not matter if they owned or rented).
    https://www.washingtonpost.com/news/the-intersect/wp/2017/01/12/youve-probably-never-heard-of-this-creepy-genealogy-site-but-its-heard-all-about-you/

    I choose to use the opt out feature for myself and every single family member that i know. Since it claims to be a genealogy site, i did not want my data being available through another family member.

  25. I’m wondering what do you guys think about choosing the $125 cash payment vs. the 4 years and “$1,000,000 of identity theft insurance.”

    At first I thought this was a no-brainer.. “of course I’ll take the money!” as I would usually choose cash over a service. Of course, I have credit karma, Discover, and many others for monitoring basic info about updates to my credit.

    But I’m wondering if you guys know or could add more to this post about what the benefits of these normally paid-for credit monitoring services? Would these services be much better than the free ones?

    I’m also especially curious about the “$1,000,000 of identity theft insurance.” I actually spend about half the year overseas now.. and I sometimes worry about someone stealing a piece of mail.. getting my SSN.. and then using it for something.. or obviously having info hacked and my SSN being used for something by another party. I’d love some more information about how the million dollars of identity theft insurance works? What exactly does it cover AND not cover?

    Though my gut tells me to take the $125 cash.. but it just seems like for some people (depending on the missing details) that the 4 years of premium credit monitoring service and “$1,000,000 of identity theft insurance.” could be a better choice?

    What do you guys know / think about these thoughts?

    Thanks

    e.g: I forgot to mention.. a signature card for a bank that I mailed earlier this year was never received by that bank.. so apparently there’s at least one piece of mail with my SSN on it floating around out there somewhere in the USA. Either that or the bank was just incompetent (PNC) and lost or misplaced it.

  26. I put the question in a long reply. But let me just simply ask the question again.

    How valuable do other DoC readers think that the “$1,000,000 worth of identity theft insurance” would be worth? I mean a million dollars seems good in case of any damages that were to happen over the next four years? But I wonder whether anyone knows the limitations of availing the insurance, and what kind of situations are included and excluded? Seems like it might be worth more than $125? Just wondering though about other people’s thoughts.

  27. Why haven’t they made these Credit Agencies responsible for monitoring the rest of our lives for free? My SS# and personal information donot self destruct after several years, it is compromised for life.

  28. None of the links seem to be working today!

  29. Ummm… so…. when I go to the claim page (https://secure.equifaxbreachsettlement.com/en/claim), Kaspersky flags it as “URL listed in database of phishing URLs.” I re-checked that I had the right URL several times…

Leave a comment