Equifax Hack: 44% of Americans Had Their SSN, names & birthdate stolen

CathleenT · Sep 8, 2017

Uh, Elaine, I wouldn't even bother with saving a receipt for a class action suit. I received a settlement once. Do you want to know what I got for five figures worth of damages? Seventeen bucks. (Okay, there was some change, too.)

About the only reason to do this is because you're pissed and want to help put the company out of business. But don't think you're going to be compensated--especially with the numbers that will be lining up for this thing.

Participating in a lawsuit can be a lot of work. Just a heads up so people have an idea what to expect.

Sage · Sep 8, 2017

For those that say they're affected, did the site say you're affected, or that you "may be" affected. I got the latter, which is basically the amount of information I had before going to the site, but everyone seems so certain.

Roxxsmom · Sep 8, 2017

One thing that's been suggested to protect oneself from stolen credit and personal information is to pay a fee to freeze your credit with each of the reporting agencies. This means that if someone applies for credit in your name the reporting agency will notify the lender or agency that needed the credit report that your credit has been frozen, so the application won't be approved. It's not foolproof, but it makes it harder for someone to use stolen information to get credit cards or do things that require credit reports in your name. Most thieves go with a path of least resistance.

The down side is that you can't apply for credit or do things that require a credit report either, without paying a fee to temporarily or permanently lift the freeze. And each agency gives you a long pin that you must keep somewhere safe (it won't be easy to memorize) to give the credit reporting agencies if you want to lift the freeze.

As far as I know, though, they don't notify you if someone tries to obtain credit in your name.

ElaineA · Sep 8, 2017

CT, yes, I know, but it's better than nothing, and in this case, it's so big, I suspect the Feds are going to be leaning heavily on Equifax. I'd keep everything, just in case. Based on the Volkswagon and Takata consumer breaches, it may end up better than the usual. Never hurts to keep records, just in case. FWIW, I've been a member of at least 8 class action suits. I didn't have to do a thing beyond send in a card, or fill in some info on a website.

The credit freeze is another item I'd keep a receipt for. Equifax may be more willing to deal with individuals making claims than a class. It might be worth a letter, a copy of receipts, and a demand for reparations if one is interested in trying. We got a new roof out of this tactic when ours failed, while the people who joined the class got pennies on the dollar. If Equifax is liquid, you can forego the class. If they go bankrupt, all bets are off.

blacbird · Sep 8, 2017

Having no existence to speak of, perhaps I'm okay.

caw

Roxxsmom · Sep 8, 2017

ElaineA said:
If Equifax is liquid, you can forego the class. If they go bankrupt, all bets are off.

Do you think this is a real possibility?

I just can't get past how nonchalant they've been acting about this. Is that theatrics, to try and avoid retribution, or are they really that clueless?

ElaineA · Sep 9, 2017

Roxxsmom said:
Do you think this is a real possibility?

I just can't get past how nonchalant they've been acting about this. Is that theatrics, to try and avoid retribution, or are they really that clueless?

Yeah, I really don't know, but I assume they feel confident that the monetary risk coming from the public side of this isn't big. After all, our identities have no dollar value. We aren't technically responsible for fraudulent activity in our names so there is only the "cost" to prove the fraud and clean our credit, which they can do with a keystroke.

The big costs, for the most part, rest on the banks, lending institutions, retailers, etc. They have to investigate every claim of "that's not me" and eat fraudulent purchases. Those are Equifax's real customers. We're a product they sell. I imagine there's more concern in the board room for those entities, similar to when the auditors and accountants got wrapped into the housing collapse. It's going to cost VISA, MC, AMEX, housing lenders (which includes the Federal govt--Fannie Mae, etc) a lot to vet applications now if 70% of adults can't really prove they belong to their purported social security number because every way to prove it has *also* been stolen.

It's possible Equifax could declare bankruptcy if the corporate clients simply stop using them, but I have my doubts that will happen. "Too big to fail" was quaint during Enron. It's canon in corporate America now.

nighttimer · Sep 9, 2017

Luciferical said:
I find it hilarious, in a dark comedy sort of way, that the potential impact site has been so poorly setup that one security app actually tagged it as a potential phishing site.

I feel much better now. Do you?

Oh sure. I'm absolutely laughing my ass off. I haven't had so much fun since the last time my hand got caught in the garbage disposal. :rolleyes

Here's a question I've been wondering and maybe you can answer for me. How long is the credit monitoring in effect? If it's only a year, if I'm the hacker who ripped all that info off, I'm just going to sit on it until a year passes and then I'm gonna dump it all over the dark web and get paid.

tiddlywinks said:
*delurks*

This is not a hoax or fake news or just a gimmick to get you to sign up for crappy credit monitoring. Unfortunately it is very real, folks, and some of you may have already been affected in the months since the data was stolen (I can attest from personal experience here. This explains some recent nasty headaches in my household...)

As for preventative measures, one thing you can do is put a credit freeze in place - but do your research before you do that, especially if you have any near term plans to open lines of credit, purchase a house, etc. It's a PITA when you actually want to do something involving credit...buuuuut you also don't want to get ready to apply for a mortgage, only to find someone has wreaked havoc on your credit. (The big 3 credit agencies aren't exactly the fastest or most helpful under such circumstances either.)

Roxxsmom said:
One thing that's been suggested to protect oneself from stolen credit and personal information is to pay a fee to freeze your credit with each of the reporting agencies. This means that if someone applies for credit in your name the reporting agency will notify the lender or agency that needed the credit report that your credit has been frozen, so the application won't be approved. It's not foolproof, but it makes it harder for someone to use stolen information to get credit cards or do things that require credit reports in your name. Most thieves go with a path of least resistance.

The down side is that you can't apply for credit or do things that require a credit report either, without paying a fee to temporarily or permanently lift the freeze. And each agency gives you a long pin that you must keep somewhere safe (it won't be easy to memorize) to give the credit reporting agencies if you want to lift the freeze.

As far as I know, though, they don't notify you if someone tries to obtain credit in your name.

Fun facts about credit freezing.

In basic terms, freezing your credit means placing restrictions on who can view your credit report. Why is this important? Well, applying for housing, checking accounts or new credit cards can all involve a credit pull by potential landlords, mortgage lenders or banks. If you prevent them from pulling your credit, it'll frustrate the fraudsters who need these organizations' approval to open fake accounts using your stolen identity.

Freezing your credit comes with a $5 to $10 charge for each credit bureau. The amount of the charge depends on where you live; here's a PDF from Equifax that shows how much it might cost you. Often, victims of identity theft can freeze their credit at no charge. To get the ball rolling, visit the relevant websites of Experian, Equifax and TransUnion. You can also call Equifax (1-800-349-9960), Experian (1‑888‑397‑3742) or TransUnion (1-888-909-8872).

The credit agencies will ask for your personal information, including your name, address, date of birth and Social Security number. Once you've supplied those and frozen your credit report, nobody except your existing lenders, or their debt collectors, will be able to see it, according to federal regulators. The only other entities that are allowed to see your credit report at this point are government agencies carrying out a search warrant or subpoena, and yourself, if you're trying to access the free credit report that is entitled to you once per year per credit bureau. (You can thank a 2003 law known as FACTA for this right. Annualcreditreport.com is the only website you'll ever see government officials recommend for this purpose.)

But what do you do once your report is frozen and you need, say, a credit card company to look at it?

In that case, you can contact the credit bureaus again and ask them to lift or “thaw” the freeze. To do so, you'll need a PIN that your credit bureau gave you when you enabled the freeze. The reporting agencies are required to put the thaw into effect no later than three business days after you submit the request. You can also choose to lift the freeze only for a specific amount of time, to limit your exposure. Lifting the freeze can also come with a small fee.

If you lose your PIN, you can reset it, but that will typically require you to provide proof of your identity. This poses a different type of security risk; if a criminal manages to get a copy of the required identifying documents — say, through a corporate data breach or by persuading you to give up the information voluntarily through an email phishing attack — then there isn't much standing between a determined thief and an unfrozen credit report.

Most of us who learn about credit freezes won't actually do anything with that information. Why? Because many of us are reactive instead of proactive. That's why folks who live in an area plagued by hurricanes rush out to Home Depot to buy plywood instead of already having a stack stashed in the garage. Plus, it's effort. Who wants to navigate their way through a phone tree to get to whomever you have to get to actually place the freeze on your accounts?

Me, that's who. That's why my wife and I will be calling Monday morning. I've had my accounts hacked into once already this year and they hit my checking account for $1000. I was lucky and my bank believed me and put the money back, but it was still a royal pain in the arse and a feeling of being violated that hasn't entirely gone away.

Pay a little and feel better or pay nothing and perhaps feel much worse. Thanks for nothing Equifax. Eat shit and live.

blacbird said:
Having no existence to speak of, perhaps I'm okay.

caw

Perhaps you are. Until your bank calls and asks, "Pardon us, Mr. Blacbird, but did you really authorize $25,000 in home furnishings from IKEA to be shipped to your villa in the South of France?" :Shrug:

That will be when you find out you are living a much grander existence than you previously thought.

Luciferical · Sep 9, 2017

nighttimer said:
Oh sure. I'm absolutely laughing my ass off. I haven't had so much fun since the last time my hand got caught in the garbage disposal.

Here's a question I've been wondering and maybe you can answer for me. How long is the credit monitoring in effect? If it's only a year, if I'm the hacker who ripped all that info off, I'm just going to sit on it until a year passes and then I'm gonna dump it all over the dark web and get paid.

The credit monitoring CAN be whatever they want. I am not a legal expert, but I'm not aware of any law on this. I think some states may have requirements. But no blanket coverage. One year seems to be the accepted standard, if such a word applies here at all.

And the dark Web markets have already done what you say. Security experts have already noticed stolen credentials showing up on black market sites after said year of free monitoring. Holders of these fake credentials are even known to spot check some of their holdings to see if fraud alerts or credit freezes show up.

Such stolen credentials aren't sold individually, or even by the dozen. They are sold 10,000 or more at a time. So they can afford to test a few here and there.

nighttimer · Sep 9, 2017

Luciferical said:
The credit monitoring CAN be whatever they want. I am not a legal expert, but I'm not aware of any law on this. I think some states may have requirements. But no blanket coverage. One year seems to be the accepted standard, if such a word applies here at all.

And the dark Web markets have already done what you say. Security experts have already noticed stolen credentials showing up on black market sites after said year of free monitoring. Holders of these fake credentials are even known to spot check some of their holdings to see if fraud alerts or credit freezes show up.

Such stolen credentials aren't sold individually, or even by the dozen. They are sold 10,000 or more at a time. So they can afford to test a few here and there.

Yeah, isn't that comforting as all get out? The more I read about Equifax's response to this massive data breach, the more inadequate it gets.

It’s time for all of us to play defense, because Equifax clearly did not.

In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

Now, to the remedy. The company is offering one free year of credit monitoring to all Americans, not just the ones whose data was stolen. It includes the ability to turn your Equifax credit report on and off, to keep thieves from applying for credit in your name using information they stole from Equifax and to have access to your Equifax report to do so.

That’s all well and good, except that the thieves might use the stolen information to apply for credit with lenders that check the credit reports only at the other big agencies, Experian and TransUnion. So this protection is incomplete.

And why just a year? Who knows? Isn’t this an invitation to the thieves to sit on the data for a while and then use it when all of us have moved on?

Meanwhile, people can’t easily change their Social Security numbers to thwart the thieves. So if any bad actors have your personal data, those numbers will be useful for years, maybe decades, depending on how the credit system changes over time.

Equifax should have made the monitoring last forever. Since it didn’t, it will now be able to solicit everyone who signs up for its year of free service. And what do you want to bet that the company will offer an extension bright and early on day 366 for, say, $16.95 per month?

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

Boy, if ever there were a need for a Barf Emoji... :e2smack:

neurotype · Sep 9, 2017

I checked to see if I'd had my details stolen yesterday afternoon. Got the "may be affected" message. Tried again this morning (since they apparently updated the site) and it said I was NOT affected. Tried two hours later...affected again. Don't trust the site they set up, it clearly knows nothing. Also, see recent NY Times article about this here.

I froze my credit this morning, very easy to do and free (my home state is New York). You can check the fees for your state through this link. Got my pins and stored them in a couple places. Also see this article here with info on websites/phone numbers to freeze your credit and also differences between credit freeze and fraud alert. Fraud alerts only last the 90 days unless you provide proof you've been hacked. Better to freeze your credit unless you know you're applying for anything soon.

Tell everyone you know, and be sure to check your credit reports now to make sure no one has signed up for anything in your name since this started in May! Be safe everyone

Diana Hignutt · Sep 11, 2017

Wait, if I can't get credit with my identity, how can someone else?

Luciferical · Sep 11, 2017

Diana Hignutt said:
Wait, if I can't get credit with my identity, how can someone else?

There are places out there, technically legal, places you know better than to use, that will issue credit. The people who use these stolen credentials don't care, because:
1) they aren't going to pay in the first place
2) your credentials are in a package with 10,000 or 20,000 other credentials. I've seen one offer for over a million credentials for sale.

If even 1% of the credentials work, success in their minds.

nighttimer · Sep 11, 2017

So, your credit's crap anyway and even if its not, you're sure nothing too bad is going to happen because nothing too bad has ever happened before.

What's the worst that could happen? You sure you really wanna know? :scared:

If you're not worried about the Equifax hack, you should be.

The hackers made off with the most crucial tools that identity thieves need to impersonate you. The worst-case scenario is a very real threat to millions of Americans.

If the stolen information from Equifax gets into the wrong hands, experts say data thieves can open bank accounts, lines of credit, new credit cards and even drivers' licenses in your name. They can saddle you with speeding tickets, steal your tax refund, swipe your Social Security check and prevent you from getting prescription drugs.

Recovering from identity theft could take months or even years. And no one is responsible for cleaning up your own mess but you.

The data stolen in the Equifax hack is extremely valuable to cyberthieves. All that information packaged together sells for upwards of $30 per identity on online black markets, according to Mark Nunnikhoven, head of cloud research for cybersecurity firm Trend Micro.

"That's the foundational identification information for U.S. consumers," said Nunnikhoven. "It's enough to allow cyberthieves to take over you online."

If a cybercriminal maxed out a credit card in your name, you'll have a very difficult time passing a credit check. Good luck getting a new cell phone, a student loan, a car or a mortgage.

If a data thief took out a prescription using your identity, that goes on your medical record. That could seriously screw up your ability to get treatment at a hospital or from your pharmacy, particularly if the fraudster obtained medicine that counteracts with yours.

More sinister cybercriminals could use that data to pin crimes on you, according to Eva Velasquez, CEO of the Identity Theft Resource Center, a nonprofit that assists fraud victims.

If someone gets a driver's license in your name and runs a red light or gets a speeding ticket, you're on the hook. The criminal's not going to pay it -- and soon enough there could be a warrant out for your arrest.

"This is not hypothetical," said Velasquez, who notes her organization annually helps thousands of victims of some truly complex identity fraud. In a few extreme cases, Velasquez's organization dealt with fraud victims who discovered prisoners were serving sentences in their names.

Of the roughly 17 million reported cases of identity theft last year, about 4% was of the "criminal" variety (assigning speeding tickets, warrants and other violations to fraud victims). It's a small, but not insignificant number. And that was before the massive Equifax hack.

Maybe this is all hair-on-fire hysteria and Chicken Little doom & gloom. Maybe it's not as oh-god-please-make-it-stop bad as it could be.

But what if it is? Do you really want to find out? :scared:

cbenoi1 · Sep 11, 2017

Diana Hignutt said:
Wait, if I can't get credit with my identity, how can someone else?

Criminals can do a lot of damage with your personal information alone.

ETA: nightimer nailed it better in the post above.

-cb

Diana Hignutt · Sep 11, 2017

cbenoi1 said:
Criminals can do a lot of damage with your personal information alone.

ETA: nightimer nailed it better in the post above.

-cb

I see. Are you advising me to gnash my teeth and wail to the skies? I was in the "may have been affected" category, btw.

Calla Lily · Sep 11, 2017

Took me 20 minutes yesterday and some cussing at my screen, but I placed a credit freeze at all the credit reporting agencies. So did my husband and both adult offspring. Worth the annoyance. Nothing is 100% sure, but I knew it'd be reckless not to.

Luciferical · Sep 11, 2017

Remember, too, that credit checks aren't just done for... well... credit. If you want to work in any kind of position that entails sensitive data, credit checks can be part of a background investigation.

I have Credit Karma notifying me of any credit checks that show up.

Lyv · Sep 11, 2017

Calla Lily said:
Took me 20 minutes yesterday and some cussing at my screen, but I placed a credit freeze at all the credit reporting agencies. So did my husband and both adult offspring. Worth the annoyance. Nothing is 100% sure, but I knew it'd be reckless not to.

Experian wouldn't let me or my husband place a freeze. We can't figure out why. We have (and had when we checked out credit with them right before trying to do a freeze) perfect credit, no criminal histories, have owned our house for 15 years and owned the one before that for seven. But they are asking us to do this by mail. I'm going to try to call them later and ask what the issue is because I really don't want to send all the documentation they're asking for by mail. This has me nervous.

ElaineA · Sep 11, 2017

Recovering from identity theft could take months or even years. And no one is responsible for cleaning up your own mess but you.

Well, that's where we need to start. It should be EQUIFAX'S responsibility to clean that mess up. That's where it'll cost them. Class action lawyers and our government reps (local are probably more reliable than federal) need to help us hold their feet to the fire.

Luciferical · Sep 11, 2017

ElaineA said:
Well, that's where we need to start. It should be EQUIFAX'S responsibility to clean that mess up. That's where it'll cost them. Class action lawyers and our government reps (local are probably more reliable than federal) need to help us hold their feet to the fire.

Ummm...

Code:
Unfortunately Equifax PINs aren’t chosen at random, they are simply the date and time at which you performed your freeze.

If you froze your data on Friday night after watching our Facebook Live about the Equifax breach at, let’s say, 5pm, your PIN would be

Code:

0908171700

You want these guys cleaning it up?

Also, a tweet by well-regarded security researcher Brian Krebs hints that a firm known as Mandiant is involved in the investigation.

I have no special insight on who was responsible for the Equifax breach. But usually when Mandiant is involved, it's state-sponsored.

He quoted tech news site ZDNet for revealing that the company investigating for Equifax is Mandiant.

Luciferical · Sep 11, 2017

Y'know... I want to think I'm just on the whacko side of paranoid. It helps with what I do for living, but still, whacko.

And then stuff like this comes up.

tiddlywinks · Sep 11, 2017

It should be Equifax's responsibility, but it's not. There is an entire area of law dedicated to this very thing, for years, because the big credit reporting agencies, financial institutions, and others don't move fast enough for it to help an individual consumer living this nightmare until their feet are put to the legal fire. Elaine, don't get me wrong, I applaud you wanting to change this. Just saying, it will take time. And in the meantime, folks affected should take real steps to protect their identity as much as is possible at this point.

If you are going to reach out on this matter, a good place to start might be your state attorney general's office. They should have what is known as a consumer protection enforcement division. I know Minnesota does. That's where you will find a nexus of legal experts and elected officials to start the ball rolling.

ElaineA · Sep 11, 2017

Luciferical said:
You want these guys cleaning it up?

I didn't say that. I said "responsible" and went on to say "cost." I never said they should be allowed to fix it themselves. I've been clear on this thread I want to see them put out of business.

tiddlywinks said:
If you are going to reach out on this matter, a good place to start might be your state attorney general's office. They should have what is known as a consumer protection enforcement division. I know Minnesota does. That's where you will find a nexus of legal experts and elected officials to start the ball rolling.

This is exactly what I intend to do. Thankfully we have a smart, active AG.

We will freeze our credit, but that's an individual decision and not one anybody can say everyone should make. People might need to buy a car, or a refrigerator, or obtain credit to rebuild after...oh, a hurricane. Not everyone can freeze their credit. Not everyone can afford the freezing-unfreezing cycle. Equifax can, though, and they should be financially responsible when a consumer has to make these steps.

Luciferical · Sep 11, 2017

@ElaineA: I didn't intend to put words in your mouth.

Sorry for that.

Equifax Hack: 44% of Americans Had Their SSN, names & birthdate stolen

I write

Supreme Guessinator

Beastly Fido

All about that action, boss.

Beastly Fido

All about that action, boss.

No Gods No Masters

No Gods No Masters

New Fish; Thick Scales

Very Tired

No Gods No Masters

Very Tired

On hiatus

I meant to do that.

All about that action, boss.

Chaser of Shineyyyy Plot Bunnies

All about that action, boss.