Sep. 9th, 2017

marahmarie: my initials (MM) (Default)

The Equifax data breach is turning into a complete disaster because the very thing they're offering to "protect" us - free credit monitoring for one year - has so many "gotchas" built in you might be better off not signing up, or even using their website to check if you were affected by the breach.

For starters, checking your name for breach status or signing up for Equifax's credit monitoring could prevent you from joining the class action lawsuit which arose from it.

ETA, 9-12-17: Not to mention the website appears to be broken, which sounds about right, because the first time I checked I got no answer on whether I was "impacted" or not, while the second time (same session, same cookies) I was told I was "impacted" and encouraged to sign up for free credit monitoring - after I already had.

And opting out by snail mail from the arbitration clause which prevents you from joining requires submitting an "Equifax User ID" that people who merely check their status or sign up for protection will not have, so opt-out for us isn't actually possible.

But signing up for "free-for-now" monitoring will result in getting billed for service after just one year if you don't cancel ahead of time (just like AOL's so-called "free" trial, if you do nothing they'll start charging for service whether you like it or not). Signing up also requires internet access and a credit or debit card because of course it does, so your connectionless grandma who still uses a landline, has no credit or debit card, does everything by snail mail and just writes checks for whatever she wants is SOL, because Equifax has to minimize their losses, somehow.

If all of this isn't bad enough, it's been said that:

  • Kaspersky Antivirus flags Equifax's breach-status website as a "phishing site"
  • Entering Qwerty as your last name and 12-3456 as the last six of your Social indicates your information was stolen
  • Equifax insiders sold off stocks before the breach was announced - but they've known about it since May, so obviously they were locking in profit ahead of the stock collapsing

I still feel "hackers gonna hack" and haven't wanted to hold Equifax responsible, but it's getting increasingly difficult to maintain that position when Equifax is doing nothing to show they're being "responsible" or "transparent" about this, or to adequately compensate anyone who might be affected (which, let's be honest, could be almost all of us).

ETA2, 9-12-17: since posting it's become not just "increasingly difficult" but impossible to sympathize when it's not a case of hackers finding a novel way around their backend security, but their own failure to patch an Apache Struts vulnerability that they've been able to fix since last March. So they're as at fault as they could possibly be for this entire mess.