Equifax revealed that the names, birthdays, addresses, and Social Security numbers of 143 million people were compromised between May and July. Most of the people affected by the breach are in the U.S., but data from an unspecified number of its UK and Canadian users was also stolen. The credit reporting company said this data was stolen because of a vulnerability in its website; its core databases were not accessed.
In addition to the information listed above, Equifax said the credit card numbers of 209,000 people were exposed, as were an unspecified number of driver's license numbers. Roughly 182,000 dispute documents containing personal identifying information were also compromised. All told, this means almost half of the country's population is now at risk of identity theft, spear-phishing attacks, or other crimes as a result of this breach.
Equifax said in its announcement that it plans to inform people whose information may have been compromised by this breach via direct mail, and a disclosure about the breach rests atop its main website. It's also set up a dedicated site where you can learn more about the breach and sign up for protective services. Here's what the company's providing affected consumers:
The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year.
It would be hard to overstate how critical it is to keep an eye out for the letters informing you of this breach, or to sign up for these services if your information was compromised. It's bad news when a couple hundred thousand credit card numbers are stolen; it's much worse to have this much personal information in the hands of someone who could either sell it to other people or use it to commit identity theft or fraud themselves.
But there are a few problems with TrustedID Premier. The first is that Equifax is providing complimentary service for only a year, which means you'll have to pay if you want to extend those protections. Given the relatively static nature of names, SSNs, and other information affected by this breach, one year of protections won't be enough. A patient hacker would simply wait a year and then use the data once the protections end.
The second problem is that TrustedID Premier's terms of service require you to waive your right to sue. Here's the relevant section:
This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.
So what does this mean for people affected by the breach? Well, it means that some of their most sensitive information now belongs to who-knows-who and will be used for who-knows-what. It also means they have two options: pay for protective services to make up for Equifax's mistakes, or get a year of security in exchange for waiving your right to sue the company and having to pay for the service when the year is up.
Equifax's share price has plummeted roughly 23% since it disclosed the breach. That's bad news for shareholders—minus three executives, including the chief financial officer, who according to Bloomberg sold almost $1 million in stock after the intrusion was detected but before it was disclosed. Equifax told Bloomberg the execs were unaware of the breach when they sold their stock, but it's definitely one heck of a coincidence.
The company said it's "in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries." It has also brought on a "leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again."
We expect to hear more about this breach and its fallout in the coming weeks, months, and years.