Skip to main content

Filed under:

143 million compromised Social Security numbers: everything you need to know about the Equifax hack

It has been marked as the worst data breach in US history. Attackers stole half the US population's Social Security numbers from Equifax this spring, but the company only notified people in September. The fallout has been swift, with government agencies looking into the incident, class action lawsuits being filed, and consumers demanding free credit freezes.

Follow along with all of the updates as this story develops.

  • Jon Porter

    Jul 22, 2019

    Jon Porter

    Equifax agrees to settlement of up to $700 million over 2017 data breach

    An image showing a lock made up of binary code
    Illustration by Alex Castro / The Verge

    Equifax has agreed to a settlement over its 2017 data breach that saw as many as 147 million people’s personal information, including names, birth dates, addresses, and social security numbers, exposed by the company. As part of the settlement, the company will pay at least $575 million, but this could rise to as much as $700 million depending on the amount of compensation people claim. The company has agreed to provide free credit monitoring services to anyone affected for up to 10 years, as well as cash payments of up to $20,000 per person to refund any costs incurred as a result of the breach.

    “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers,” said FTC Chairman Joe Simons, “This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

    Read Article >
  • Jun 29, 2019

    Andrew Liptak

    Former Equifax executive sentenced to prison for insider trading prior to data breach

    Illustration by Alex Castro / The Verge

    The Justice Department announced this week that former Equifax CIO Jun Ying has been sentenced to four months in prison for insider trading. He pled guilty earlier this year for for selling his stock in the company prior to the announcement that it had been hit with a massive data breach in 2017.

    The Security and Exchanges Commission charged Ying with insider trading last year. The Department of Justice says that in August 2017, after learning about the breach, he began researching the impact that a similar breach had on another company’s stock price. Later that morning, he promptly exercised and sold all of his stock options, earning nearly a million dollars from the sale. In doing so, he avoided a loss of $117,000 that he otherwise would have incurred when the company’s stock price dropped after the disclosure. More than 150 million people had their personal information leaked in the incident.

    Read Article >
  • Mar 14, 2018

    Colin Lecher

    Former Equifax executive charged with insider trading ahead of massive data breach

    Illustration by Alex Castro / The Verge

    A former Equifax executive has been charged by the SEC with insider trading after allegedly selling his stock in the company before it announced last year’s massive data breach.

    According to the SEC, Jun Ying, the CIO of an Equifax business unit and next in line to be the global CIO, received confidential information about the company’s breach before the news was public. Ying allegedly exercised his stock options and sold his shares, making close to $1 million and avoiding a $117,000 loss when the stock price tanked post-announcement.

    Read Article >
  • Feb 11, 2018

    Andrew Liptak

    Hackers accessed more personal data from Equifax than previously disclosed

    An image showing a lock made up of binary code
    Illustration by Alex Castro / The Verge

    Last year, credit rating agency Equifax announced that hackers had stolen personal information for 143 million US consumers, including names, Social Security numbers, birthdates, addresses, drivers license numbers, and some credit card numbers. The Wall Street Journal writes that more information was leaked than was previously reported.

    The revelation comes from a document submitted to the Senate Banking Committee, which says that hackers accessed additional personal information beyond what was initially reported. This includes tax identification numbers, which are used when someone doesn’t have a social security number, as well as e-mail addresses, credit card information, and some additional drivers license information — the states and dates in which the licenses were issued.

    Read Article >
  • Ben Popper

    Oct 3, 2017

    Ben Popper

    Despite massive hack, Equifax wins IRS contract for fraud-detection

    IRS Commissioner John Koskinen Visits Miami IRS Office
    Photo by Joe Raedle/Getty Images

    Between March and July of this year, the credit rating agency Equifax, was infiltrated by hackers who made off with the sensitive personal information of more than 140 million Americans. That sounds like the kind of thing that might hurt a company’s credibility when it comes to security. But Politico is now reporting that the IRS will pay Equifax $7.25 million to “verify taxpayer identities and help prevent fraud.”

    A synopsis of the contract, published by the Department of the Treasury on September 30, notes that the contract was a “sole source order,” meaning the IRS didn’t shop around for competitive bids. That’s because it’s in a contract dispute with a former security provider, and doesn’t want to let consumer protections lapse. Why Equifax was singled out for the job is another question.

    Read Article >
  • Russell Brandom

    Oct 3, 2017

    Russell Brandom

    Former Equifax CEO blames breach on a single person who failed to deploy patch

    US Capitol 7 (Verge Stock)

    This summer, a breach at the credit bureau Equifax compromised Social Security numbers and other sensitive data on more than 145 million people. Since then, experts have been puzzling over how the company allowed it to happen. The attackers seem to have broken into the system by exploiting a public vulnerability in Apache’s Struts software, but by the time the compromise occurred, a patch for that vulnerability had been available for months. So why didn’t Equifax deploy the patch?

    Speaking to the House Energy and Commerce Committee, former Equifax CEO Richard Smith gave the most detailed answer to that question we’ve heard so far. According to him, the team internally discussed the Struts vulnerability when it was first announced by CERT on March 8th.

    Read Article >
  • Sep 26, 2017

    Colin Lecher

    Equifax’s CEO is stepping down in the wake of the massive data breach

    Illustration by Alex Castro / The Verge

    Following the massive cybersecurity breach at the company, the CEO of Equifax is stepping down.

    Earlier this month, the credit reporting agency disclosed that a hack had endangered the personal information of 143 million US-based users, an incident that has led to a swell of criticism toward the company.

    Read Article >
  • Ashley Carman

    Sep 21, 2017

    Ashley Carman

    Experian allows users to undo a credit freeze just by knowing a handful of breachable facts

    Photo by Amelia Holowaty Krales / The Verge

    Experian's online PIN-recovery system could let attackers undo a credit freeze just by figuring a few easy facts. In the weeks following the Equifax breach, consumers have been told to freeze their credit, thereby blocking possible attackers from opening new lines of credit under their names. It makes sense as a defense strategy, but as cybersecurity reporter Brian Krebs reports today, the protections around those freezes are easy to subvert.

    Experian makes it easy to undo a credit freeze, resetting a subject's PIN through an easily accessible account recovery page. That page only asks for a person’s name, address, date of birth, and Social Security number when someone wants to retrieve their credit freeze PIN. All that data was compromised in the Equifax breach, as well as other breaches, so we can probably assume hackers possess this information. 

    Read Article >
  • Sep 20, 2017

    Dani Deahl and Ashley Carman

    For weeks, Equifax customer service has been directing victims to a fake phishing site

    Illustration by Alex Castro / The Verge

    Earlier this month, hackers broke into Equifax's servers and stole 143 million people's personal information, including their Social Security numbers. In response to the attack, Equifax set up a website — www.equifaxsecurity2017.com — for possible victims to verify whether they're affected. Because the process involves sharing sensitive information, consumers have to trust they're entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they're already concerned was stolen.

    Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.

    Read Article >
  • Thuy Ong

    Sep 19, 2017

    Thuy Ong

    New evidence raises doubts about executives’ handling of the Equifax breach

    Illustration by Alex Castro / The Verge

    New evidence calls into question Equifax’s handling of the breach reported last week, which compromised 143 million user details including Social Security numbers, birthdates, and addresses.

    Equifax discovered a breach of its computer systems in March, months earlier than it previously admitted to, reports Bloomberg, citing three people with knowledge of the matter. The relationship between the two breaches is unclear, but one source Bloomberg spoke to said the breaches involve the same intruders. Both hacks appear to have exploited the same vulnerability in Apache software that Equifax didn’t fully patch until it was too late.

    Read Article >
  • Ashley Carman

    Sep 15, 2017

    Ashley Carman

    Democratic senators are introducing a bill that would let people freeze their credit for free

    Visa Plans Largest IPO In U.S. History
    Photo Illustration by Justin Sullivan/Getty Images

    Massachusetts Senator Elizabeth Warren and 11 other Democratic senators introduced a bill this week that could give people the ability to freeze their credit for free. Warren also announced that she's sent letters to the country's three biggest credit reporting firms (Equifax, TransUnion, and Experian), the FTC, the Consumer Financial Protection Bureau, and the Government Accountability Office in an effort to kickstart an investigation into Equifax's monumental data breach that affected more than 140 million Americans.

    The bill is co-sponsored by 11 Democrats. With a Republican-controlled Congress, they’ll face a steep uphill battle to get it passed.

    Read Article >
  • Russell Brandom

    Sep 14, 2017

    Russell Brandom

    The FTC is looking into the Equifax breach

    Illustration by Alex Castro / The Verge

    The Federal Trade Commission is actively investigating the massive breach revealed last week at credit bureau Equifax, which leaked personal financial information on 143 million people.

    "The FTC typically does not comment on ongoing investigations,” spokesman Peter Kaplan wrote in an email to Reuters. “However, in light of the intense public interest and the potential impact of this matter, I can confirm that FTC staff is investigating the Equifax data breach.” Nearly 40 states have also joined a probe of the company’s business practices.

    Read Article >
  • Thuy Ong

    Sep 13, 2017

    Thuy Ong

    Equifax waives credit protection fees after consumer outcry

    Photo by Amelia Holowaty Krales / The Verge

    Equifax says it will now waive all of its fees for customers who want to freeze their credit files with the company, reports The New York Times, but it will only do so until November 21. Equifax will also refund fees to those who have paid since September 7 — the day the company announced 143 million users have had their Social Security numbers, birthdates, addresses, and in some cases, credit card numbers compromised. The freeze keeps new creditors from accessing customer files, which would help to stem identity fraud.

    Equifax initially required customers to pay for a freeze to their accounts to protect their personal data leaked but the company. The announcement to waive fees was made after a deluge of customer complaints. Before that it had offered a year of free credit monitoring as an olive branch. To add further insult, the breach happened over a month before the company actually disclosed it. The company is working with authorities and an independent cybersecurity firm on an investigation.

    Read Article >
  • Shannon Liao

    Sep 12, 2017

    Shannon Liao

    Chatbot lets you sue Equifax for up to $25,000 without a lawyer

    House Holds Hearing On Affordable Care Act Implementation Failures
    Photo by Alex Wong/Getty Images

    Equifax’s security failure affected 143 million US consumers, or 44 percent of the US population. To add insult to injury, Equifax waited over a month before revealing the security breach it had suffered. If you’re one of the millions affected by the breach, a chatbot can now help you sue Equifax in small claims court, potentially letting you avoid hiring a lawyer for advice.

    Even if you want to be part of the class action lawsuit against Equifax, you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.

    Read Article >
  • Adi Robertson

    Sep 8, 2017

    Adi Robertson

    Can you join a class action suit if you use Equifax’s free identity theft protection?

    Photo by Amelia Holowaty Krales / The Verge

    Credit reporting agency Equifax’s July data breach leaked information on 143 million US-based people, almost half the country’s population. But if you want to be part of a class action lawsuit that was recently filed against the company, accepting its free identity protection service might make things harder. That’s because Equifax’s terms of service force users to settle complaints individually, using a common and widely criticized legal clause. This clause might not apply to the data breach, and Equifax might not intend to enforce it — but its broad ambiguity has legal experts worried.

    When the leak was revealed yesterday, Equifax set up a page offering free enrollment in its TrustedID Premier monitoring service. The page asks people to enter their name and partial Social Security number to see if they’ve been affected, then tells them to come back after a stated date to enroll in protection. But visitors quickly pointed out that Equifax’s terms of service include a consumer-unfriendly piece of legalese known as an arbitration clause, which bans parties from joining class action lawsuits. If a court finds that Equifax was negligently lax with cybersecurity, people bound by the terms might be locked out of benefits, unless they file a new suit.

    Read Article >
  • Ashley Carman

    Sep 8, 2017

    Ashley Carman

    How to freeze your credit after a data breach

    Federal Government Grants American Express Bank Holding Status
    Photo by Justin Sullivan/Getty Images

    Yesterday, Equifax announced that hackers stole half of the US population's Social Security numbers in what will likely end up being one of the worst data breaches to ever affect the country. If you're one of the victims, you might consider freezing your credit. Here's information on how to do that, and what it entails.

    Equifax built a website for the data breach where you can type in your name and the last six digits of your Social Security number to figure out whether your information was compromised. Now, there's been some talk about the website's Terms of Service. Some people have speculated that using the website could waive your right to join a class action suit. This isn't clear yet.

    Read Article >
  • Russell Brandom

    Sep 8, 2017

    Russell Brandom

    Our entire credit bureau system is broken

    This week saw the biggest public breach in the history of credit reporting, as Equifax reported a hack affecting as many as 143 million customers. The hack exposed Social Security numbers, birthdays, and, in some cases, even credit cards. The attackers gained access as early as May, so the data has now been circulating for months. For years, experts have said you should assume your Social Security number and birthday are already available on criminal marketplaces — and with more than half of the adult US population implicated, that logic is now hard to avoid.

    Beyond the immediate damage, the breach reveals some deep absurdities in Equifax’s business model. The company was one of the central stores of personal data, the place you checked to make sure you weren’t writing a mortgage to an impostor. But now the impostors have the same data as everyone else. If you can’t keep it secure, why stockpile the data in the first place?

    Read Article >
  • Ashley Carman

    Sep 7, 2017

    Ashley Carman

    Equifax compromised 143 million people's Social Security numbers and other data

    Illustration by Alex Castro / The Verge

    Equifax announced today that 143 million US-based users had their personal information compromised this year. Attackers reportedly exploited a vulnerability on Equifax's website to steal names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people and certain dispute documents with personal identifying information for approximately 182,000 people were also accessed. Although Equifax operates in other countries, it didn't detect any stolen personal information abroad.

    The company says it discovered the breach on July 29th this year, and has since plugged the security hole. The company also set up a dedicated website — www.equifaxsecurity2017.com — for possible victims to sign up for credit file monitoring and identity theft protection.

    Read Article >