Equifax Breach Compromises 143 Million Americans' Personal Data

News
By Nathaniel Mott
published

Equifax revealed that the names, birthdays, addresses, and Social Security numbers of 143 million people were compromised between May and July. Most of the people affected by the breach are in the U.S., but data from an unspecified number of its UK and Canadian users was also stolen. The credit reporting company said this data was stolen because of a vulnerability in its website; its core databases were not accessed.

In addition to the information listed above, Equifax said the credit card numbers of 209,000 people were exposed, as were an unspecified number of driver's license numbers. Roughly 182,000 dispute documents containing personal identifying information were also compromised. All told, this means almost half of the country's population is now at risk of identity theft, spear-phishing attacks, or other crimes as a result of this breach.

Equifax said in its announcement that it plans to inform people whose information may have been compromised by this breach via direct mail, and a disclosure about the breach rests atop its main website. It's also set up a dedicated site where you can learn more about the breach and sign up for protective services. Here's what the company's providing affected consumers:

The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers - all complimentary to U.S. consumers for one year.

It would be hard to overstate how critical it is to keep an eye out for the letters informing you of this breach, or to sign up for these services if your information was compromised. It's bad news when a couple hundred thousand credit card numbers are stolen; it's much worse to have this much personal information in the hands of someone who could either sell it to other people or use it to commit identity theft or fraud themselves.

But there are a few problems with TrustedID Premier. The first is that Equifax is providing complimentary service for only a year, which means you'll have to pay if you want to extend those protections. Given the relatively static nature of names, SSNs, and other information affected by this breach, one year of protections won't be enough. A patient hacker would simply wait a year and then use the data once the protections end.

The second problem is that TrustedID Premier's terms of service require you to waive your right to sue. Here's the relevant section:

This arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis. No arbitration will be consolidated with any other arbitration proceeding without the consent of all parties. This class action waiver provision applies to and includes any Claims made and remedies sought as part of any class action, private attorney general action, or other representative action. By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claims where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.

So what does this mean for people affected by the breach? Well, it means that some of their most sensitive information now belongs to who-knows-who and will be used for who-knows-what. It also means they have two options: pay for protective services to make up for Equifax's mistakes, or get a year of security in exchange for waiving your right to sue the company and having to pay for the service when the year is up.

Equifax's share price has plummeted roughly 23% since it disclosed the breach. That's bad news for shareholders—minus three executives, including the chief financial officer, who according to Bloomberg sold almost $1 million in stock after the intrusion was detected but before it was disclosed. Equifax told Bloomberg the execs were unaware of the breach when they sold their stock, but it's definitely one heck of a coincidence.

The company said it's "in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries." It has also brought on a "leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again."

We expect to hear more about this breach and its fallout in the coming weeks, months, and years.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

11 Comments Comment from the forums
  • dark_lord69
    "sold almost $1 million in stock after the intrusion was detected but before it was disclosed."
    Ummm... Insider trading!?

    "Equifax told Bloomberg the execs were unaware of the breach when they sold their stock, but it's definitely one heck of a coincidence."
    <mod edit>
    Reply
  • Ilya__
    I hope Equifax gets slammed for this. Worst customer service I've ever seen and very outdated technology. They literally sat on their ass and collected money for the past 10-15 years.
    Reply
  • LORD_ORION
    Secure: Records of your debts
    Not secure: Detailed personal info to make new debt

    *thumbs up*

    They are very non specific about "core database" vs "website vulnerability".
    Does this mean anyone who used their web services is likely compromised? eg: You went to their website and did something like a credit check on yourself, and all the info you plugged in is what was compromised?

    Regardless, would you ever do direct business with them again after this? Would you want a 3rd party doing business with them with your info? eg: Some potential employer runs a credit check on you through equifax, and zing... your personal info is compromised.
    Reply
  • leoscott
    Equifax should be out of business. This data is the core of their business and if they can't protect it they don't belong in the business. I hope a class action suit bankrupts them.
    Reply
  • redgarl
    I am one of the potential victim... I hope Equifax goes bankrupt and I hope the class action is going to bring the company to the ground.

    It is totally unacceptable. They have our banking info, our credit card info, our SINs, our DOBs and our addresses. Talk about a central point of failure, this should have never happened.
    Reply
  • leoscott
    LORD_ORION
    You can go to the website linked in the article and check to see if you are potentially impacted via a button at the bottom. I have never used Equifax and my data was potentially impacted.
    Reply
  • cryoburner
    20153211 said:
    They are very non specific about "core database" vs "website vulnerability".
    Does this mean anyone who used their web services is likely compromised? eg: You went to their website and did something like a credit check on yourself, and all the info you plugged in is what was compromised?
    I rather doubt that anywhere close to 143 million Americans have directly used their website. That's nearly half the population. More likely, it's anyone who has had a credit check performed on them by any company during a certain span of time. So even someone who is not familiar with Equifax might have had their data compromised.

    And providing a year of protective services is a joke. Is the leaked data going to mysteriously disappear a year from now? It's about as useful as a new PC shipping with a one month subscription to some antivirus. More a demo than anything.



    Reply
  • Decends
    20153270 said:
    LORD_ORION
    You can go to the website linked in the article and check to see if you are potentially impacted via a button at the bottom. I have never used Equifax and my data was potentially impacted.

    Unfortunately, even checking on their website presents a problem. In their fine print, you surrender your right to sue them or join a class action lawsuit against them if you use that.
    Reply
  • Brian_R170
    Equifax turns it into a huge win. Customers give up their rights to sue and many continue to pay an annual fee after the one year of free credit-monitoring is up.
    Reply
  • Brian_R170
    20152764 said:
    "sold almost $1 million in stock after the intrusion was detected but before it was disclosed."
    Ummm... Insider trading!?

    "Equifax told Bloomberg the execs were unaware of the breach when they sold their stock, but it's definitely one heck of a coincidence."

    Reporter sensationalism. Look up SEC rule 10b5-1. There's about a 100% chance that this really IS a coincidence and I would bet the documentation exists to prove it.
    Reply