Hearing about another major hack has become nothing new, but if you were one of the millions whose information was exposed in the Equifax data hack, you can find out what to do now.
Equifax will pay at least $700 million — and potentially much more — to settle lawsuits over a 2017 data breach that exposed the Social Security numbers and similar sensitive information of roughly half of the U.S. population.
The settlement with federal authorities and states, reached Monday, includes up to $425 million in monetary relief to consumers, a $100 million civil penalty, and other offers to the nearly 150 million people who could have been affected. It can’t, however, guarantee safety for individuals whose stolen information could circulate on the internet for decades.
The breach was one of the largest ever to threaten Americans’ private information. The credit reporting company didn’t notice the intruders targeting its databases, who exploited a known security vulnerability that Equifax hadn’t fixed, for more than six weeks.
The compromised data included Social Security numbers, birth dates, addresses, driver license numbers, credit card numbers and in some cases, data from passports. The resulting scandal led to the abrupt dismissal of Equifax’s then-CEO and many other executives at the company.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said Federal Trade Commission Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach.”
Equifax CEO Mark Begor said in a statement that the settlement “reinforces our commitment to putting consumers first and safeguarding their data.”
Consumer advocates were generally positive on the settlement, but had concerns about its timescale. Claims can only be filed for the next four years, but the thieves stole permanently identifiable information like Social Security numbers and birthdates, the data could be used for decades to commit identity theft.
“What happens if a consumer is the victim of ID theft in the fifth year resulting from the breach, which costs the consumer tens of thousands of dollars?” said Chi Chi Wu, staff attorney at the National Consumer Law Center.
Shares of Equifax, which plunged 30% following disclosure of the breach, have since made up that drop. On Monday, Equifax stock price closed at $137.84 — not far from its price of $141.45, where it was trading just before the breach was disclosed on Sept. 7, 2017. Business analysts say the settlement will remove a cloud of uncertainty over Equifax’s business.
It also, however, underscores that U.S. consumers are still at the mercy of the credit-reporting companies when it comes to protecting their crucial personal details. Two years after the breach, Equifax, along with its competitors TransUnion and Experian, remain the primary repositories of the data that banks use to make credit decisions.
They face little regulation and disclose few details about their operations, despite promises to tighten security and rebuild consumer trust. Ordinary people have no easy way to opt out of the data collection that lands their personal details in corporate databases.
Equifax’s CEO said he has seen zero evidence the stolen data has appeared for sale on the so-called “dark web” and no evidence of an increased identity theft because of the breach. The company did not provide any evidence to back up that claim.
Security experts said there’s really no way to know, especially in the absence of third-party validation. “You cannot determine with certainty that the information will never wind up in the hands of people who are going to use it,” said Ryan Calo, a law professor at the University of Washington.
“It is a lifetime risk exposure,” said Rich Mogull, CEO of the security firm Securosis, who added that the data might be useful for surreptitious uses beyond direct identity fraud.
Settlement payments will flow through a number of complex channels. Equifax will initially pay $380.5 million into a fund to cover identity theft resulting from the breach, as well as any costs related to credit monitoring. The company will pay an additional $125 million if victims’ out-of-pocket expenses deplete the initial fund.
Should all 147 million victims sign up for credit monitoring services, Equifax could potentially be on the hook for $2 billion.
Equifax will offer victims of the breach free credit monitoring services for up to 10 years, identity-restoration services for seven years, and six Equifax credit reports annually for the next seven years. That’s on top of the free report all credit reporting companies must offer U.S. residents every year.
Victims can also seek up to $125 as a reimbursement for the cost of a credit-monitoring product of their choice. Consumers must submit claims for free credit monitoring or cash reimbursements. The settlement received preliminary approval from a federal judge Monday, and claims can start processing Tuesday.
Equifax will have to spend at least $1 billion over five years to enhance its cybersecurity practices and will owe a $100 million fine to the Consumer Financial Protection Bureau and tens of millions of dollars to states and territories to settle their lawsuits.
For information on the terms of the settlement, as well as to file a claim, potential victims should go to https://www.equifaxbreachsettlement.com .
What You Need To Know About The Equifax Hack
HOW DID HACKERS BREAK IN?
According to the Government Accountability Office, the investigative arm of Congress, a server hosting Equifax’s online dispute portal was running software with a known weak spot. The hackers, who have not been identified, jumped through the opening to reach databases containing consumers’ personal information. The attack went unnoticed by Equifax for more than six weeks.
Equifax officials told GAO the company made many mistakes. Some were as simple as having an outdated list of computer systems administrators. When the company circulated a notice to install a patch for the software vulnerability, the employees responsible for installing the patch never got it.
HOW HAS THE BREACH AFFECTED CONSUMERS?
Equifax says it hasn’t seen much of an increase in identity theft, but it is difficult to tell precisely who has been affected and how.
“You cannot determine with certainty that the information will never wind up in the hands of people who are going to use it,” said Ryan Calo, a law professor at the University of Washington.
Even if the data hasn’t been used, the unease and discomfort caused by large breaches also should be taken into account, Calo added.
WHAT DO CONSUMERS GET FROM THE SETTLEMENT?
Affected consumers may be eligible for up to $20,000 in reimbursements for losses from unauthorized charges to affected accounts, legal and other fees, credit-monitoring or identity-theft-protection services and expenses related to freezing or unfreezing credit reports. For the time spent dealing with the breach, consumers can seek $25 per hour for up to 20 hours as compensation.
All impacted consumers will be eligible to receive 10 years of free credit monitoring, at least seven years of free identity-restoration services, and, starting in 2020, six free copies of their Equifax credit report each year for seven years. That’s on top of the free copy consumers can already get by law every 12 months from each of the three big agencies — Equifax, Experian and TransUnion. For minors, free credit monitoring increases to 18 years.
Consumers can opt instead for a $125 cash payment for a credit-monitoring product of their choice.
Consumers must submit a claim to receive free credit monitoring or cash reimbursements.
WHAT CAN CONSUMERS DO WITH CREDIT REPORTS?
Consumers should examine the listed accounts and loans to make sure that the information is correct and that they authorized the transactions. If something is suspicious, contact the company that issued the account and the credit-rating agency.
Consumers should consider freezing their credit, which stops thieves from opening new credit cards or loans in their names. It can be done online. Consumers can freeze their credit for free because of recent legislation, avoiding fees that were typically $5 to $10 per rating agency. Just remember to temporarily unfreeze credit, also free, when applying for a new credit card or loan.
MAKING THE CLAIM
The U.S. District Court in Atlanta granted preliminary approval Monday. The FTC said that the initial claims period will begin Tuesday and be open for six months. The settlement administrator won’t send out any payments until the deadline has passed.
Consumers can get more information at the website created by the settlement administrator, https://www.equifaxbreachsettlement.com , or the Federal Trade Commission website at https://www.ftc.gov/equifax .
Once the FTC sets up its claims site, consumers can check there to see if they were affected by the data breach. Consumers can make a claim if they can prove they suffered identity theft “fairly traceable” to the 2017 breach or if they can document they spent time and money dealing with securing their credit because of the breach even if they weren’t subject to identity theft. That could include signing up for credit monitoring services.
Consumers should sign up on the FTC website for email updates on the process. Regulators also suggest that consumers save any documents related to their efforts to avoid or recover from identity theft.
WHO WILL BENEFIT
It’s unclear who will benefit the most from this agreement.
While the settlement does provide some financial relief, which experts said is unusual for these kinds of cases, they said it doesn’t go quite far enough for consumers.
National Consumer Law Center staff attorney Chi Chi Wu said that while the settlement provides some compensation for known victims now, there isn’t a mechanism to address consumers who might suffer identity theft or other fallout many years down the road.
Additionally, it’s a challenge to prove harm specifically from Equifax, as there are so many breaches, said M. Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management. And Johnson said he doesn’t expect many consumers will see that what they get in the settlement is worth the time it might take to make the claim.