marahmarie: my initials (MM) (Default)

The Equifax data breach is turning into a complete disaster because the very thing they're offering to "protect" us - free credit monitoring for one year - has so many "gotchas" built in you might be better off not signing up, or even using their website to check if you were affected by the breach.

For starters, checking your name for breach status or signing up for Equifax's credit monitoring could prevent you from joining the class action lawsuit which arose from it.

ETA, 9-12-17: Not to mention the website appears to be broken, which sounds about right, because the first time I checked I got no answer on whether I was "impacted" or not, while the second time (same session, same cookies) I was told I was "impacted" and encouraged to sign up for free credit monitoring - after I already had.

And opting out by snail mail from the arbitration clause which prevents you from joining requires submitting an "Equifax User ID" that people who merely check their status or sign up for protection will not have, so opt-out for us isn't actually possible.

But signing up for "free-for-now" monitoring will result in getting billed for service after just one year if you don't cancel ahead of time (just like AOL's so-called "free" trial, if you do nothing they'll start charging for service whether you like it or not). Signing up also requires internet access and a credit or debit card because of course it does, so your connectionless grandma who still uses a landline, has no credit or debit card, does everything by snail mail and just writes checks for whatever she wants is SOL, because Equifax has to minimize their losses, somehow.

If all of this isn't bad enough, it's been said that:

  • Kaspersky Antivirus flags Equifax's breach-status website as a "phishing site"
  • Entering Qwerty as your last name and 12-3456 as the last six of your Social indicates your information was stolen
  • Equifax insiders sold off stocks before the breach was announced - but they've known about it since May, so obviously they were locking in profit ahead of the stock collapsing

I still feel "hackers gonna hack" and haven't wanted to hold Equifax responsible, but it's getting increasingly difficult to maintain that position when Equifax is doing nothing to show they're being "responsible" or "transparent" about this, or to adequately compensate anyone who might be affected (which, let's be honest, could be almost all of us).

ETA2, 9-12-17: since posting it's become not just "increasingly difficult" but impossible to sympathize when it's not a case of hackers finding a novel way around their backend security, but their own failure to patch an Apache Struts vulnerability that they've been able to fix since last March. So they're as at fault as they could possibly be for this entire mess.

marahmarie: my initials (MM) (Default)

ETA, 9-9-17 PLEASE READ FIRST: Things got hairy here real fast: a class action was recently filed against Equifax (which I didn't learn of until shortly after posting) and signing up at Equifax for credit protection (or even entering your name to check if you were affected by this breach) using the steps below could legally prevent you from becoming a member.

I'd signed up before writing this, but because I don't hold Equifax responsible (hackers gonna hack, and they're getting sort of good at it, lemme tell you!) I'm not worried about joining. It would be nice if I could, especially if this breach winds up costing me money and/or my privacy down the road, but if I can't I can't.

I just wish I'd known of the lawsuit before signing up for protection. In light of that, I want others to be aware of any possible trade-offs they'll be making.

The Verge reports on what to do if you've already entered your name or signed up for protection (emphasis mine):

For now, the one existing loophole is Equifax’s opt-out provision — another common element of arbitration clauses. Within 30 days of agreeing to the terms of the enrollment, you can deliver a written notice to this address:

Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out P.O. Box 105496
Atlanta, GA 30348

It needs to include your name, address, and Equifax User ID, as well as “a clear statement that you do not wish to resolve disputes with Equifax through arbitration.”

ETA2: the above opt-out information is useless for anyone who isn't a paying Equifax customer, as the rest of us didn't get "Equifax User IDs" just by checking our names on the website or signing up for credit protection.

ETA3: More updates are in a separate post.


It's been a banner week for this sort of thing, hasn't it? And I'm in the affected users pile, so I'll be signing up for protection (they put you on a waiting list because apparently they wish to not imitate healthcare.gov with a disastrous rollout, so signup looks to be ongoing in slow waves).

In five steps, because apparently they feel a bit awkward about putting us through all this

  • Read the blah blah blah
  • Click here, more blah blah blah. Now click the button (it takes you here: Check Potential Impact)
  • See if you were in the affected user pile by typing your last name and last six numbers of your Social Security number into boxes on this screen
  • Take the "I'm not a robot" vision tests (I hate these fucking things; anyone else?)
  • Sign up for protection