Equifax Breaches 143M, refuses free freeze
stevepb / Pixabay
If you haven’t heard about the 143 million people who had data breached by Equifax this year, you might want to know about it. It’s a hot topic in the news today.
You may be one of those affected. I entered in my information and I am one of the unlucky 143 million people.
Be warned, however, if you check to see if you are one of the unlucky ones, news websites are saying that you will have agreed to their fine print which says you cannot sue them–that you agree to arbitration.
Read this: If you want help from Equifax, there are strings attached, and By signing up on Equifax’s help site, you risk giving up your legal rights
I called Equifax because I am one of their victims and I asked for a credit freeze. That sounds like a reasonable option to me considering what they’ve done, right?
I mean it says online that they will give you this at no charge if you are a victim of identity theft, your credit card has been stolen, etc. Considering they breached my data, my request doesn’t seem reasonable, right?
What does Equifax say to me?
Equifax wants me to give them $10 for the service after screwing up and not protecting my data!
Am I losing my mind or is that insane?
The idea I have to give the company who screwed me over money to protect myself seems ludicrous to me, without question. I cannot say I said polite words when I hung up.
What are you going to do? Are you one of the lucky 143 million?
EFL, thanks for addressing this topic, and expressing your outrage. It all just makes me sick.
I think that freeze is only good for 90 days, and then you have to pay another $10 for another 90 days. AND who’s to say that the Unfreeze PIN that they give you, won’t be compromised by the very same hackers who then themselves Unfreeze your account. How silly.
I didn’t read as closely perhaps as you did, but it’s similar to signing the back of checks we used to get in the mail with a free $2.50 or whatever. On the back of the check, where you sign, you’re actually agreeing to a magazine subscription for two years. How insidious.
I didn’t know that just by merely checking if I’m one of the 143+, my rights get eradicated.
But I did know that Equifax had already protected themselves LONG AGO, with fine print saying that if you ever use Equifax (much of what they have about us was not ever given to them by permission, so don’t quite understand this) you agree never to sue, but settle everything through arbitration.
So, even if you now sign up for their little TrueProtection, you’re merely once again stating that you won’t sue…though I’m sure this one will be more ‘binding’.
What surprises me most, and maybe it’s because you’re still shell shocked, is that you didn’t address the fact that back in May/June WHEN THIS ACTUALLY HAPPENED, the CEO’s sold all their stock in preparation for the eventual fall out. Gotta love that.
I guess the SEC must have considered those events 3 months ago as public domain.
$10 bucks to Equifax to freeze what they screwed up…like doctors owning the pharmacy where they prescribe medicine.
Unbelievable!
Equifax issued a statement Friday evening. “In response to consumer
inquiries, we have made it clear that the arbitration clause and class
action waiver included in the Equifax and TrustedID Premier terms of use
does not apply to this cybersecurity incident,” the company said.
Lawyers have indicated though, that what the “Contract You Signed” says, and what a marketing person says, are two different animals!!!
FREE with police report
Adult victims of identity theft can request a credit freeze for free
in writing by submitting a copy of a police report documenting the
identity theft and documentation proving your identity along with the
applicable form(s). A list of acceptable forms of identification can be
found at Equifax.com
Freezes can help block the creation of new credit accounts, but
they can’t prevent an identity thief from making charges to existing
accounts. So you must continue to monitor all bank, credit card and
insurance statements for fraudulent transactions.
The Equifax web page for doing a freeze on your own account is insecure. The page says the user can use Internet Explorer or Netscape Navigator, but Netscape Navigator was discontinued in 2008 – nine years ago! Further, Equifax’s page says “Copyright 2008”. A lot has happened since 2008 in terms of security. If the technology behind that page is from 2008, it’s much more vulnerable to security issues than a modern system that is fully up to date.
This is the main reason tech people (like me) advise people and companies to keep everything up to date. Older systems may be vulnerable in ways that are not protected against today’s threats, so we advise you to use modern systems with all the protections in place.
Warning: Do *NOT* enter your information on this page under any circumstances: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Russ, on top of things again I see! Thanks. What a mess.
Any comments on these pages:
equifaxsecurity2017.com/potential-impact/
equifaxcase.com (which shows up on safeweb.norton as UnTested)
freecreditscore.com or annualcreditreport.com
experian.com/freeze/center.html
freeze.transunion.com/sf/securityFreeze/landingPage.jsp
freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
I think anything short of FREE credit monitoring for life misses the mark! Hackers will be sorting and salivating over these 143,000,000 records for decades to come — like the Michelangelo virus.
Hi,
Most of those look good, but I only did a quick look at them.
#1 I’ve read comments (not verified) that people put in random letters and numbers and it still came back as compromised data by Equifax. That’s nearly impossible from a mathematical standpoint. While there are an alleged 135 million records stolen, the number of possible combinations of even a six letter name and six digits in the Social Security number is much, much larger than 135 million. That number is 2,419,748,766,759,630,000,000,000,000, and that’s just the number of combinations of a six letter name and a set of six digits. So for people to say they are putting in random numbers and Equifax is showing it’s a possible match… something is very very odd there.
#2 I don’t know anything about the lawyer, I expect there will be lawyers will will spend the next several months – or years – representing clients. I’m not a lawyer, and don’t have any objective means to evaluate them.
#3 I’ve heard that these web sites are good. I have purchased my free credit report in the past. It’s well known that the site http://www.freecreditreport.com is not free. Imagine that!
#4 and #5 – look OK on first check, so far so good with those two, no obvious security issues.
#6 Equifax we already know about. It seems painfully clear they did not test their security very well, and have not updated parts of their web site for nearly a decade.
I’m curious what other people are seeing and experiencing.
It’s likely that the reason they tell you it’s a possible match is to protect real information. Otherwise malicious actors could just start filling in information and noting where it shows a hit as a legitimate starting point to harvest further information. That technique is a derivative of “account harvesting”, and there are a plethora of ways to exploit systems to get them to give up useful information without them actually giving up any information intentionally. The malicious hackers operating in the world today are far above what ordinary people know to look out for or protect against, so on anything holding critical data, they have to implement some really strange mechanics in order to actually protect that data from getting into a criminal’s hands.
An example of how this works is if I go to some company’s website and it has a login page, I can just start feeding that form random usernames, or usernames from a list, or usernames generated programmatically from lists of common names, and submitting them with a single letter password. If the page responds with something like “invalid user”, or “username does not exist” or the like when an invalid account is entered, but responds with “incorrect password” when it has a valid username and incorrect password, then I’ve just tricked the system into letting me harvest a list of all the user accounts that exist on that website. Now all I have to do is run that list of accounts with a list of common passwords, and I’ll pop open a good 60% of those accounts to do with whatever I please.
In order to prevent that, I have to give exactly the same response (which can include more than just the message it responds with— it has to also include identical HTTP headers, cookies, requests, and even response timing deltas) to ANY invalid or incorrect login information supplied regardless of whether it’s the username or the password, etc. That makes the only message I can offer a legitimate user something like “invalid username or password”, which is less helpful to the real user, but is also the only way I can allow a real user to log in without also making it possible for a hacker to figure out who all the legitimate users on the site are and making it that much easier for them to hack into those accounts or phish those users for credentials that would allow the hacker to pivot and hack those users’ accounts on other sites if they share the same passwords or similar usernames, etc.
What Equifax is likely doing here is preventing identity thieves from gathering an extra 2 digits of social security numbers to associate with last names that they might not otherwise be able to get. It would actually bother me a lot more if it DIDN’T respond that way to random letters and numbers.
Protecting from hackers today is very next level from where it was even just 2-3 years ago. The bad guys are now employing actual data scientists and state intelligence agency level techniques against pretty much everything that exists online. The days of a simple firewall or antivirus software protecting you are over. It has reached the point where multiple security experts are starting to question whether you’d actually be better off without any of those programs than you are with them, because they only protect against a narrow subset of simple threats while actually providing an additional avenue into your data and creating another potentially weak link in the security chain for the bad guys. It’s an ugly world out there today.
I entered my last name and last 6 digits and it came clean–NOT compromised. Equifax had to have used the non-compromised for their data base, and would explain why just entering random info tells you “possibly compromised” whether that person even exists or not.
They seem to have responded to pressure to reverse the charge for the “free” service: http://www.huffingtonpost.com/entry/equifax-hack-credit-monitoring-service_us_59b69ca7e4b036fd85cc9220?ncid=inblnkushpmg00000009