What You Should Know About Equifax Data Breach Settlement – Krebs on Security

admin July 22, 2019

8 6 minutes read

What You Should Know About Equifax Data Breach Settlement – Krebs on Security

Big-three credit bureau Equifax has reportedly agreed to pay at least $ 650 million to settle lawsuits from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here's a letter primer that attempts to break down what this settlement means for you, and what it says about the value of your identity

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $ 425 million helping consumers demonstrate financially with the breach. The company also will make up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $ 650 million seems like a lot. Is that some kind of record?

A: If not, it's pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn't appear anywhere in their current story.

Q: Hang on… 148 million affected consumers… out of that $ 425 million pot that comes to just $ 2.87 per victim, right?

A: That's one way of looking at it. But as always, the devil is in the details. That is, you will not see a penny or any other benefit unless you do something about it, and how much you can make up the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers . "If more, Equifax's costs for providing it could rise meaningfully," the story observed.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until the court approves the settlement.

Q: Uh, that doesn't look like Equifax's site…

A: Good eyes! It's not. It's run at a third party. But we should probably just be grateful for that; given Equifax's total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

– Free credit monitoring: At least three years of credit monitoring via all three major agencies simultaneously, including Equifax, [Experian and Trans Union . The settlement also envisions up to six more years of single agency monitoring through Experian. Or, if you want to take advantage of the credit monitoring offers, you can opt for a $ 125 cash payment. You can get both.

– Reimbursement: … For the time you spent remedying identity identity or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $ 25 per hour ($ 500). Total cash reimbursement payment will not exceed $ 20,000 per consumer.

– Help with ongoing identity theft issues: Up to seven years of "free assisted identity restoration services." Again, the existing breach settlement page is light

Q: Does this cover my kids / dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can't yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press # 2 on your phone's keypad if you want to ship the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the "free assisted identity restoration services, ”And the person who took my call said they had to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would have to apply for it.

He added that the Equifaxbreachsettlement. com site includes a feature that allows visitors to check if they are eligible, but also confirm that just checking eligibility will not entitle one to any of the above benefits: Consumers will need to file a claim through the site ( When it's available to do so.

ANALYSIS

We'll see how this unfolds, but I'll be amazed if anything related to taking advantage of this settlement is painless. You can even get a copy of my credit report from Equifax, as I am under the law for free each year. We even requested a copy by mail, according to their instructions. So far nothing

But let's say that the case of argument that our question is basically right – that this settlement breaks down to about $ 3 worth of flesh extracted from Equifax for each affected person.

Avivah Litan Avivah Litan says the thing is, this figure is probably one more than one. credit bureaus make about $ 1 every time they sell your credit file to a potential creditor (or identity thief posing as you). According to recent reports from the New York Federal Reserve, there were around 145 million hard credit pulls in the fourth quarter of 2018.

But there is something you can do to stop the Equifax and the other desks from profiting this way: Free credit files with them.

A security freeze essentially any potential creditors from being able to view or "pull" your credit file, unless you are affirmatively unfreeze or thaw your file beforehand. With a credit on your credit card, ID can apply for credit in your name, but they will not succeed in getting credit for your name because few creditors will credit you without being able to gauge how risky it is to loan to you. And it's now free for all Americans.

This post explains in detail what is involved in freezing your files; how to place, thaw or remove and freeze; the limitations of a free and potential side effects; and alternatives to freezes.

What 's wrong with just using credit monitoring, you might ask? These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. does steal your identity.

If you have any experience, anyone with a freeze on their credit file will need to briefly check their file (s) at Equifax before successfully signing up for the service when it's offered. Since three years, all three offices have made it easier to find and lift security freezes.

Probably too easy, in fact. Especially for people who had freezes in place before Equifax revamped its freeze portal. Those folks were issued a numeric PIN to lift, or remove a free, but Equifax no longer lets those users do any of those things online with just the PIN.

These days, create an account at the MyEquifax portal, one need only supply name, address, Social Security number, date of birth, any phone number (all data points exposed in the Equifax breach, and in any case widely available for sale in the cybercrime underground) and answer 4 multiple-guess questions which answers are often available in public records or on social media

And so this is another reason why you should not have your credit: If you do not sign up as you at MyEquifax, someone else might do it for you. [19659017] What else can you do in the meantime? If you have any phone calls or emails you did not sign up for that data breach settlement and if you want to provide personal and / or financial information.

And if you haven't done so lately, go get a free copy of your credit report from annualcreditreport.com; by law all Americans are called a free report from each of the major bureaus annually. You can opt for one report, or all three at once. Either way, make sure to read the report closely and dispute anything that looks amiss