Last week, Equifax revealed that the names, addresses, and Social Security numbers of roughly 143 million people were stolen from its website. (Other information, such as credit card and driver's license numbers, about hundreds of thousands of people was also compromised.) Now the company has released several updates to let people know how it's handling the hack's aftermath and to clarify the terms of TrustedID Premier.
Equifax's response to this breach attracted plenty of criticism—and not just because three executives reportedly sold around $1.8 million worth of stock in between the hack's discovery and its disclosure. Of particular concern was how it planned to protect the identities of people whose personal data was compromised. These aren't usernames or passwords that can be changed at a moment's notice; they're permanent identifiers.
So the company said it would provide free credit monitoring, identity theft insurance, and other protections via its TrustedID Premier service. The problem was that Equifax will foot the bill for this service for only a year, after which people will either have to put their financial health at risk or pony up for the service themselves, and that TrustedID Premier's terms of service include an arbitration clause that waives users' right to sue.
New York State Attorney General Eric T. Schneiderman said on Twitter that "this language is unacceptable and unenforceable" and that his staff contacted Equifax to "demand that they remove it." (He later published a guide to protecting yourself in the wake of the breach and announced that he launched a formal investigation into the hack.) The company then issued an update on the website dedicated to the incident, which read:
In the days since, Equifax has also more than tripled the number of agents working in its call centers, updated its PIN generation process, and updated its main website to more prominently feature a link to the site dedicated to the breach. The company said it has also "arranged to ramp up agents quickly to replace agents" affected by Hurricane Irma in an effort to keep call center wait times to a minimum.
The company also clarified TrustedID Premier's terms of service again:
Equifax also told several people on Twitter that using TrustedID Premier as a result of the incident won't affect their legal rights. It's clear that the company wants to address one of the primary criticisms of its response to the hack. (Although the stock sale and limited time offer of TrustedID Premier largely remain unaddressed.)
The good news is that you can now use the protective services without signing away your rights.
The bad news is that you still have to choose between paying a company that collected your personal information without your consent—credit reporting companies are nigh-ubiquitous but oft-forgotten—to protect you or living in fear of having your identity stolen. Sure, going with the first option right now means you get a free year of TrustedID Premier. But if you're planning to live any longer than that, you're still at risk.
Really makes me sick that even in 2017 companies are not investing in proper data protections. Even more since this data is so critical to every person and cannot be changes like a CC number. They need to be made an example out of the make sure this does not happen in the future.
Edit: Oops, misunderstood darkguy2's comment. Nevermind.
I had to pay for Lifelock last summer -- aside from the issue with the IRS (!?!) getting hacked & someone attempting to use our information to file a fake return with them, someone stole my wife's identity & opened a bunch of store credit cards in her name (happened to luck out & catch her because she opened a CostCo membership the same day that we were trying to, just 30 minutes before we applied, & she was still at the other store; their staff delayed her until the police could show up). So we paid for their middle plan, which includes monitoring your accounts for transactions as well as regular sweeps of known "Darkweb" sites for your personal information. It's expensive, to be sure...but a) we've already been burned once, & b) it's cheaper than Experian's protection (which only covers you with their bureau, not the other 3). And boy, do they catch them. We originally had the alert threshold set at $500, so every month it asks us if we really meant to make our house payment. We just had a transaction they missed, though, because it was under that threshold, so now I've had to drop it to the $200 level (which now means the monthly car payment, as well as the semiannual car insurance payments, are going to trigger alerts). They're mildly irritating...but it gives us greater peace of mind.
Probably what they meant, though, was that they didn't want Lifelock handling the 'fraud alert' or 'credit freeze' options. Fraud alert flags on your account isn't necessarily a big thing because it's done for free (the 90-day alert gets shared with the other 2 credit bureaus, but the 7-year version has to be set with each one individually), & basically means that any financial institution (bank, credit union, loan company, auto dealership, etc.) has to contact you personally before opening any account. The credit freeze, though, is a major thing because a) as long as it's enabled no company is allowed to see your credit score/report (unless you already have a pre-existing & active account with them, or the company is an authorized collection agency acting on that company's behalf), & b) they charge a fee.
Fair warning on the fraud alerts: it makes a really big flag pop up with the Social Security Administration, & if you haven't already set up an online login for their site you'll have to go to a local office in person to get access to it.
Funny thing is, LifeLock sent me an alert back in May about a potential issue with 1 of my credit reports (possible name/address change, etc.). I called all 3 bureaus & went over the name/address information on them, but couldn't find anything that was out of place, & since the name/address in question actually belonged to my father (similar name, & they live close by) I didn't think anything more of it....now I'm wondering, since I had the alert in June, if it wasn't somehow tied into this hack.
No, I'm pretty sure he meant that, unlike changing CC numbers, it's really difficult to change the rest of the information. You have to go to a judge to legally change your name, changing your address means physically moving all of your stuff/buying a new place or finding a new place to rent/other financial issues, & I don't know if you can even change your SSN at all.
God, I wish it was that simple. I don't know much about encryption or cybersecurity but with how much encryption there is to go around these days, I wonder if our SSNs could get a treatment like how Credit Cards got treatment with the chips.
Everyone has two choices: 1. Place a fraud alert with any of these credit reporting agencies, and they are required to notify the others for free. If someone tries to take out credit in your name, lenders are required to verify with that it is really you requesting the credit. The only difficulty is that this is only good for one quarter, however, you can renew it indefinitely for free.
Choice 2: Place a credit freeze with the agency, which costs $5-$10 depending on where you live. This means that lenders cannot pull your credit report and, therefore, are not able to issue credit in your name. If you need to get additional credit, you can contact the agency and have them temporarily remove the credit freeze so that you can apply for any credit needed.
It may be a bit more difficult to take these actions yourself, however, I bet it is far cheaper than LifeLock. Why pay them for something that can be done for free, Fraud Alert, or for what may be only a one-time fee of $5 - $10?
The problem is non-tech savvy folks don't realize the severity of this situation.
It's a "hasn't happened to me, so how bad could it possibly be?" reaction.
This security breach is so disgusting. These corporations don't care for our sensitive information in any way shape or form.