It has been marked as the worst data breach in US history. Attackers stole half the US population's Social Security numbers from Equifax this spring, but the company only notified people in September. The fallout has been swift, with government agencies looking into the incident, class action lawsuits being filed, and consumers demanding free credit freezes.
Follow along with all of the updates as this story develops.
Jul 22, 2019
Equifax agrees to settlement of up to $700 million over 2017 data breach
Equifax has agreed to a settlement over its 2017 data breach that saw as many as 147 million people’s personal information, including names, birth dates, addresses, and social security numbers, exposed by the company. As part of the settlement, the company will pay at least $575 million, but this could rise to as much as $700 million depending on the amount of compensation people claim. The company has agreed to provide free credit monitoring services to anyone affected for up to 10 years, as well as cash payments of up to $20,000 per person to refund any costs incurred as a result of the breach.
Read Article >“Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” said FTC Chairman Joe Simons, “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Jun 29, 2019
Former Equifax executive sentenced to prison for insider trading prior to data breach
The Justice Department announced this week that former Equifax CIO Jun Ying has been sentenced to four months in prison for insider trading. He pled guilty earlier this year for for selling his stock in the company prior to the announcement that it had been hit with a massive data breach in 2017.
Read Article >The Security and Exchanges Commission charged Ying with insider trading last year. The Department of Justice says that in August 2017, after learning about the breach, he began researching the impact that a similar breach had on another company’s stock price. Later that morning, he promptly exercised and sold all of his stock options, earning nearly a million dollars from the sale. In doing so, he avoided a loss of $117,000 that he otherwise would have incurred when the company’s stock price dropped after the disclosure. More than 150 million people had their personal information leaked in the incident.
Mar 14, 2018
Former Equifax executive charged with insider trading ahead of massive data breach
A former Equifax executive has been charged by the SEC with insider trading after allegedly selling his stock in the company before it announced last year’s massive data breach.
Read Article >According to the SEC, Jun Ying, the CIO of an Equifax business unit and next in line to be the global CIO, received confidential information about the company’s breach before the news was public. Ying allegedly exercised his stock options and sold his shares, making close to $1 million and avoiding a $117,000 loss when the stock price tanked post-announcement.
Feb 11, 2018
Hackers accessed more personal data from Equifax than previously disclosed
Last year, credit rating agency Equifax announced that hackers had stolen personal information for 143 million US consumers, including names, Social Security numbers, birthdates, addresses, drivers license numbers, and some credit card numbers. The Wall Street Journal writes that more information was leaked than was previously reported.
Read Article >The revelation comes from a document submitted to the Senate Banking Committee, which says that hackers accessed additional personal information beyond what was initially reported. This includes tax identification numbers, which are used when someone doesn’t have a social security number, as well as e-mail addresses, credit card information, and some additional drivers license information — the states and dates in which the licenses were issued.
Oct 3, 2017
Despite massive hack, Equifax wins IRS contract for fraud-detection
Between March and July of this year, the credit rating agency Equifax, was infiltrated by hackers who made off with the sensitive personal information of more than 140 million Americans. That sounds like the kind of thing that might hurt a company’s credibility when it comes to security. But Politico is now reporting that the IRS will pay Equifax $7.25 million to “verify taxpayer identities and help prevent fraud.”
Read Article >A synopsis of the contract, published by the Department of the Treasury on September 30, notes that the contract was a “sole source order,” meaning the IRS didn’t shop around for competitive bids. That’s because it’s in a contract dispute with a former security provider, and doesn’t want to let consumer protections lapse. Why Equifax was singled out for the job is another question.
Oct 3, 2017
Former Equifax CEO blames breach on a single person who failed to deploy patch
This summer, a breach at the credit bureau Equifax compromised Social Security numbers and other sensitive data on more than 145 million people. Since then, experts have been puzzling over how the company allowed it to happen. The attackers seem to have broken into the system by exploiting a public vulnerability in Apache’s Struts software, but by the time the compromise occurred, a patch for that vulnerability had been available for months. So why didn’t Equifax deploy the patch?
Read Article >Speaking to the House Energy and Commerce Committee, former Equifax CEO Richard Smith gave the most detailed answer to that question we’ve heard so far. According to him, the team internally discussed the Struts vulnerability when it was first announced by CERT on March 8th.
Sep 26, 2017
Equifax’s CEO is stepping down in the wake of the massive data breach
Following the massive cybersecurity breach at the company, the CEO of Equifax is stepping down.
Read Article >Earlier this month, the credit reporting agency disclosed that a hack had endangered the personal information of 143 million US-based users, an incident that has led to a swell of criticism toward the company.
Sep 21, 2017
Experian allows users to undo a credit freeze just by knowing a handful of breachable facts
Experian's online PIN-recovery system could let attackers undo a credit freeze just by figuring a few easy facts. In the weeks following the Equifax breach, consumers have been told to freeze their credit, thereby blocking possible attackers from opening new lines of credit under their names. It makes sense as a defense strategy, but as cybersecurity reporter Brian Krebs reports today, the protections around those freezes are easy to subvert.
Read Article >Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person’s name, address, date of birth, and Social Security number when someone wants to retrieve their credit freeze PIN. All that data was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information.
Sep 20, 2017
For weeks, Equifax customer service has been directing victims to a fake phishing site
Earlier this month, hackers broke into Equifax's servers and stole 143 million people's personal information, including their Social Security numbers. In response to the attack, Equifax set up a website — www.equifaxsecurity2017.com — for possible victims to verify whether they're affected. Because the process involves sharing sensitive information, consumers have to trust they're entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they're already concerned was stolen.
Read Article >Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.
Sep 19, 2017
New evidence raises doubts about executives’ handling of the Equifax breach
New evidence calls into question Equifax’s handling of the breach reported last week, which compromised 143 million user details including Social Security numbers, birthdates, and addresses.
Read Article >Equifax discovered a breach of its computer systems in March, months earlier than it previously admitted to, reports Bloomberg, citing three people with knowledge of the matter. The relationship between the two breaches is unclear, but one source Bloomberg spoke to said the breaches involve the same intruders. Both hacks appear to have exploited the same vulnerability in Apache software that Equifax didn’t fully patch until it was too late.
Sep 15, 2017
Democratic senators are introducing a bill that would let people freeze their credit for free
Massachusetts Senator Elizabeth Warren and 11 other Democratic senators introduced a bill this week that could give people the ability to freeze their credit for free. Warren also announced that she's sent letters to the country's three biggest credit reporting firms (Equifax, TransUnion, and Experian), the FTC, the Consumer Financial Protection Bureau, and the Government Accountability Office in an effort to kickstart an investigation into Equifax's monumental data breach that affected more than 140 million Americans.
Read Article >The bill is co-sponsored by 11 Democrats. With a Republican-controlled Congress, they’ll face a steep uphill battle to get it passed.
Sep 14, 2017
The FTC is looking into the Equifax breach
The Federal Trade Commission is actively investigating the massive breach revealed last week at credit bureau Equifax, which leaked personal financial information on 143 million people.
Read Article >"The FTC typically does not comment on ongoing investigations,” spokesman Peter Kaplan wrote in an email to Reuters. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.” Nearly 40 states have also joined a probe of the company’s business practices.
Sep 13, 2017
Equifax waives credit protection fees after consumer outcry
Equifax says it will now waive all of its fees for customers who want to freeze their credit files with the company, reports The New York Times, but it will only do so until November 21. Equifax will also refund fees to those who have paid since September 7 — the day the company announced 143 million users have had their Social Security numbers, birthdates, addresses, and in some cases, credit card numbers compromised. The freeze keeps new creditors from accessing customer files, which would help to stem identity fraud.
Read Article >Equifax initially required customers to pay for a freeze to their accounts to protect their personal data leaked but the company. The announcement to waive fees was made after a deluge of customer complaints. Before that it had offered a year of free credit monitoring as an olive branch. To add further insult, the breach happened over a month before the company actually disclosed it. The company is working with authorities and an independent cybersecurity firm on an investigation.
Sep 12, 2017
Chatbot lets you sue Equifax for up to $25,000 without a lawyer
Equifax’s security failure affected 143 million US consumers, or 44 percent of the US population. To add insult to injury, Equifax waited over a month before revealing the security breach it had suffered. If you’re one of the millions affected by the breach, a chatbot can now help you sue Equifax in small claims court, potentially letting you avoid hiring a lawyer for advice.
Read Article >Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.
Sep 8, 2017
Can you join a class action suit if you use Equifax’s free identity theft protection?
Credit reporting agency Equifax’s July data breach leaked information on 143 million US-based people, almost half the country’s population. But if you want to be part of a class action lawsuit that was recently filed against the company, accepting its free identity protection service might make things harder. That’s because Equifax’s terms of service force users to settle complaints individually, using a common and widely criticized legal clause. This clause might not apply to the data breach, and Equifax might not intend to enforce it — but its broad ambiguity has legal experts worried.
Read Article >When the leak was revealed yesterday, Equifax set up a page offering free enrollment in its TrustedID Premier monitoring service. The page asks people to enter their name and partial Social Security number to see if they’ve been affected, then tells them to come back after a stated date to enroll in protection. But visitors quickly pointed out that Equifax’s terms of service include a consumer-unfriendly piece of legalese known as an arbitration clause, which bans parties from joining class action lawsuits. If a court finds that Equifax was negligently lax with cybersecurity, people bound by the terms might be locked out of benefits, unless they file a new suit.
Sep 8, 2017
How to freeze your credit after a data breach
Yesterday, Equifax announced that hackers stole half of the US population's Social Security numbers in what will likely end up being one of the worst data breaches to ever affect the country. If you're one of the victims, you might consider freezing your credit. Here's information on how to do that, and what it entails.
Read Article >Equifax built a website for the data breach where you can type in your name and the last six digits of your Social Security number to figure out whether your information was compromised. Now, there's been some talk about the website's Terms of Service. Some people have speculated that using the website could waive your right to join a class action suit. This isn't clear yet.
Sep 8, 2017
Our entire credit bureau system is broken
This week saw the biggest public breach in the history of credit reporting, as Equifax reported a hack affecting as many as 143 million customers. The hack exposed Social Security numbers, birthdays, and, in some cases, even credit cards. The attackers gained access as early as May, so the data has now been circulating for months. For years, experts have said you should assume your Social Security number and birthday are already available on criminal marketplaces — and with more than half of the adult US population implicated, that logic is now hard to avoid.
Read Article >Beyond the immediate damage, the breach reveals some deep absurdities in Equifax’s business model. The company was one of the central stores of personal data, the place you checked to make sure you weren’t writing a mortgage to an impostor. But now the impostors have the same data as everyone else. If you can’t keep it secure, why stockpile the data in the first place?
Sep 7, 2017
Equifax compromised 143 million people's Social Security numbers and other data
Equifax announced today that 143 million US-based users had their personal information compromised this year. Attackers reportedly exploited a vulnerability on Equifax's website to steal names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people and certain dispute documents with personal identifying information for approximately 182,000 people were also accessed. Although Equifax operates in other countries, it didn't detect any stolen personal information abroad.
Read Article >The company says it discovered the breach on July 29th this year, and has since plugged the security hole. The company also set up a dedicated website — www.equifaxsecurity2017.com — for possible victims to sign up for credit file monitoring and identity theft protection.