Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money.
In 2017, Equifax disclosed a massive, extended data breach that led to the theft of Social Security Numbers, dates of birth, addresses and other personal information on nearly 150 million people. Following a public breach response perhaps best described as a giant dumpster fire, the big-three consumer credit reporting bureau was quickly hit with nearly two dozen class-action lawsuits.
In exchange for resolving all outstanding class action claims against it, Equifax in 2019 agreed to a settlement that includes up to $425 million to help people affected by the breach.
Affected consumers were eligible to apply for at least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and TransUnion. Or, if you didn’t want to take advantage of the credit monitoring offers, you could opt for a cash payment of up to $125.
The settlement also offered reimbursement for the time you may have spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This was capped at 20 total hours at $25 per hour ($500), with total cash reimbursement payments not to exceed $20,000 per consumer.
Those who did file a claim probably started receiving emails or other communications earlier this year from the Equifax Breach Settlement Fund, which has been messaging class participants about methods of collecting their payments.
How much each recipient receives appears to vary quite a bit, but probably most people will have earned a payment on the smaller end of that $125 scale — like less than $10. Those who received higher amounts likely spent more time documenting actual losses and/or explaining how the breach affected them personally.
So far this week, KrebsOnSecurity has received at least 20 messages from readers seeking more information about these notices. Some readers shared copies of letters they got in the mail along with a paper check from the Equifax Breach Settlement Fund (see screenshot above).
Others said they got emails from the Equifax Breach Settlement domain that looked like an animated greeting card offering instructions on how to redeem a virtual prepaid card.
If you received one of these settlement emails and are wary about clicking the included links (good for you, by the way), copy the redemption code and paste it into the search box at myprepaidcenter.com/redeem. Successfully completing the card application requires accepting a prepaid MasterCard agreement (PDF).
The website for the settlement — equifaxbreachsettlement.com — also includes a lookup tool that lets visitors check whether they were affected by the breach; it requires your last name and the last six digits of your Social Security Number.
But be aware that phishers and other scammers are likely to take advantage of increased public awareness of the payouts to snooker people. Tim Helming, security evangelist at DomainTools.com, today flagged several new domains that mimic the name of the real Equifax Breach Settlement website and do not appear to be defensively registered by Equifax, including equifaxbreechsettlement[.]com, equifaxbreachsettlementbreach[.]com, and equifaxsettlements[.]co.
In February 2020, the U.S. Justice Department indicted four Chinese officers of the People’s Liberation Army (PLA) for perpetrating the 2017 Equifax hack. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.
Equifax surpassed Wall Street’s expectations in its most recent quarterly earnings: The company reported revenues of $1.24 billion for the quarter ending September 2022.
Of course, most of those earnings come from Equifax’s continued legal ability to buy and sell eye-popping amounts of financial and personal data on U.S. consumers. As one of the three major credit bureaus, Equifax collects and packages information about your credit, salary, and employment history. It tracks how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit.
Americans currently have no legal right to opt out of this data collection and trade. But you can and also should freeze your credit, which by the way can make your credit profile less profitable for companies like Equifax — because they make money every time some potential creditor wants a peek inside your financial life. Also, it’s probably a good idea to freeze the credit of your children and/or dependents as well. It’s free on both counts.
lawyers… ca-ching… harmed people… please may I have some more…
I wish they’d sue them out of business.
I got a bit over $10 dropped in my PayPal account. Woohoo, that certainly compensates me for all the time I spent sorting out the breach and fending off related attacks.
Received a whopping $5.21 in my paypal. I remember getting more than double this for the Red Bull data breach a few years ago.
Thanks for pointing out the scam-rescam scam. My terminology needs work, obviously {:-). But the Corpus Delicti is as follows … having once stolen information from a Registry (Equifax) a hacker then uses the settlement offer loot as bait for users to authoritatively correct misinformation (with them listening in in real time of course).
The Social Security Administration had a related problem long ago: see Social Security Cards Issued by Woolworth (https://www.ssa.gov/history/ssn/misused.html). The problem took decades to fix and they will never be immune. This Fall the SSA “invited” SS recipients to update their records, but unlike Equifax (and their Woolworth catastrophe) it was a two step process: 1) establish a username 2) mail a temporary password (which can then be changed on line). The one “weak link” I could see was the “virtual” HelpDesk for expats who were routed through various Embassies by country of residence. Not a real big problem with State actor hackers who would risk espionage charges for their “data mining activities”.
Honestly Brian it isn’t worth my time. I give my barber a better tip.
I’m not happy I got less than $9 (just hit paypal about an hour ago). On the other hand I’m glad it got congress motivated to make freezing/thawing your credit free in all states.
Thanks for the info, Brian.
I claimed 7 hours 15 minutes with a detailed description of the work involved. I received a pre-paid card for a pitiful, insulting, $12.77.
My work description included: researching freezes and fraud alerts with the State Dept of Banking & Insurance & 3 credit bureaus and what to do. Setting up the credit freeze at all 3 bureaus. Checking eligibility and reading terms of service agreement for Equifax Trusted ID Premier credit monitoring. Reading EquifaxSecurity2017.com progress updates online. Trying to enroll in Equifax Trusted ID Premier, but receiving MULTIPLE failure errors. Calling Equifax response line 866-447-7559 (very, very long hold times) to get help. Called Equifax response line 866-447-7559 and then 877-742-1415 due to errors with activating. Creating login credentials.
So I wasted even more time claiming a cash payment to receive practically nothing in compensation. Seems outrageous.
I claimed 7 hours 15 minutes with a detailed description of the work involved. I received a pre-paid card for a pitiful, insulting, $12.77.
My work description included: researching freezes and fraud alerts with the State Dept of Banking & Insurance & 3 credit bureaus and what to do. Setting up the credit freeze at all 3 bureaus. Checking eligibility and reading terms of service agreement for Equifax Trusted ID Premier credit monitoring. Reading EquifaxSecurity2017.com progress updates online. Trying to enroll in Equifax Trusted ID Premier, but receiving MULTIPLE failure errors. Calling Equifax response line 866-447-7559 (very, very long hold times) to get help. Called Equifax response line 866-447-7559 and then 877-742-1415 due to errors with activating. Creating login credentials.
So I wasted even more time claiming a cash payment to receive practically nothing in compensation.
$14! Ohhh, what a windfall!
i got $5.20… woo hoo!
I got $5.21 and they still have my information unbelievable
Same amount i got
Seeing the anecdotal evidence of amounts, the affected class size, the disregard to data security, and the fact it’s “business as usual” for Equifax, they got off way too easy. People were advertised up to $125 and are getting fractions of that. I haven’t gotten my check yet but I can guarantee you I’ve gotten settlement checks for breakfast cereals more than it. If people were really ever going to get $125, the payout pool would’ve needed to have been $20B (after court fees, lawyers, and admin expenses).
I received my payment today for $3.52 despite applying for an hour’s work. I will be flying to Fiji for a month-long vacation.
Seems fair to me, in exchange for letting every bit of mine and my wife’s personal information be stolen we each got 1 free year Equifax identity theft protection and the cold hard cash. In exchange our identities are at risk up to and after death although I won’t have to worry about it then. Meanwhile the class action lawyers made millions.
Plus, my wife has never gotten a response other than the ID theft protection. What will we do without that cash payment? What a fucked-up creature is predatory capitalism.
Wow, now I feel special at $21.09. These things are always a scam for everyone but the lawyers.
You won’t get much money off the settlement, the shady attorneys take most of it
I opted in to the identity theft protection as I thought it was a better option
All attorneys were paid already now they have to make your check up
The FTC site says the email will come from equifaxdatabreachsettlement.com. However, the one I received, which linked to the “my prepaid center” did not. If it is legit, they need to make it clear that it is on their site.
Mine came from equifaxdatabreachsettlement@hawkmarketplace.com. I was very suspicious that it was a scam but since the info they were requesting was just basic (name, billing address, phone number), I went ahead and did it. It turned out to be legit. After entering my info, I got an image of a prepaid Mastercard debit card loaded with my amount ($15.78). I happen to have my own merchant account for my small business, so I charged the amount to the card and it worked. So my conclusion is that Equifax (or the lawyers) made it look scammy on purpose so that fewer people would redeem their rewards (leaving more money for them).
The only people actually getting paid are the lawyers. Such a joke.
same looked like a scam, i only got $5.21 but not claiming it just not worth it
Thanks for the info Denise. I got an email from the same address as well. For $10.49! What a joke! It’s not even worth my time and effort to redeem. So the lawyers can have that too! What a big drop from the $125.00 that was mentioned we would receive.
It says my card info is wrong do younow what i can do now to fix my card
I agree. This was my experience. Thank you
Thanks, Brian – a critical point to note since I have tried to freeze and subsequently lock my credit as the more secure and appropriate step IMHO
3 agencies
Free locking from Equifax and Transunion. Easy to do, no cost, and accessible
But Experian will not lock your credit without you having to pay a subscription to them for a “service”
Not much point in locking 2 of 3 so everyone is forced to pay Experian for a service that should be free.
$5.21..really
I got a claim payment of $5.21. Not even worth transferring it to any account.
$7.49 into my Paypal account. What a deal, what great compensation!
Total waste of my dealing with their negligence. Wonder how much the schiester lawyers got…
$7.49 into my Paypal account. What a deal, what great compensation!
Total waste of my dealing with their negligence. Wonder how much the schiester lawyers got…
These class action lawsuits are so ridiculous… the remedies are never remedies up to the damage that has been done
$5.21
What a racket. Prepaid debit card to be used in their online shop/merchants, $3.00 feed deducted if you want a plastic card.
Use digital card info and add card to Amazon. Then purchase a gift card for the full amount
…and k Street Credit agency lobbyists just roller skate down the halls of Congress, tossing bags of money in offices as they pass by…sp don’t expect change anytime soon…
Can these credit beasts get so big they literally explode? (Be still, my heart…)
I got the email in my junk folder, I almost never clicked on it, I never claimed the virtual card its not worth the time, for $5.21 lol What a joke!! I claimed 8 hrs of time spent getting my credit back on track because they had me combined with another person in same state with same name and I had to have them remove the other persons info off my credit report due to this breach. And they don’t make it easy either I had to send in letters and copies of my identity. And for their mistake leaking my information out I only get $5.21?!
How come I only got $5.21, apparently to low end of the comical payout range? Where is Santa this year?
Dang, suddenly I feel lucky I got the $42.59 that I did. I don’t remember exactly what I filled out now, but I do know I paid them exorbitant subscriptions fees for like, 10 yrs at least for both myself and my deceased mom. I filed for her estate too so I’ll have to check my mailbox to see if it got anything.
Received $22.82 through the virtual prepaid card. The email to claim it looked kind of phishie. The card does not work. Tried it on several sites.
The paltry settlement amounts here are a slap in the face to every consumer who placed their trust in Equifax. Furthermore, what recourse will there be for those who are impacted long after the settlement? The short answer appears to be none! Imagine this scenario, you are the equifax threat actor and you find in your newly stolen data repository the details of law students and other future white collar professionals who stand to earn a substantial living . Do you hold on to that information and pivot decades later for when they are more likely to be a partner in a lucrative firm with more to lose? The social security numbers did not change, nor did the names. How hard will it be to pull together the other pieces in light of oversharing on social media and other cyber hygiene failures? Is the birthday on Facebook? Kids or Spouse names tagged in exposed photos or Instagram posts? What information that is likely to be used as a password is shared elsewhere? in 1983, Professor Falkon’s son’s name Joshua was the password responsible for executing Global Thermonuclear War in the Movie War Games.Thirty nine years later, passwords are still being guessed and compromised. Recently, Infragard was compromised because a CEO for a large financial services company that has not yet been disclosed had their account compromised. There must be more transparency of governance and accountability for failures if we are to accelerate trust in the digital realm. Paltry, symbolic settlements don’t cut it when the true risk lingers for a lifetime.
WTH I claimed probably 12-15 hrs, I got $12.26