Equifax compromised 143 million people's Social Security numbers and other data

Illustration by Alex Castro / The Verge

Equifax announced today that 143 million US-based users had their personal information compromised this year. Attackers reportedly exploited a vulnerability on Equifax's website to steal names, Social Security numbers, birthdates, addresses, and, in some cases, driver’s license numbers. Credit card numbers for approximately 209,000 people and certain dispute documents with personal identifying information for approximately 182,000 people were also accessed. Although Equifax operates in other countries, it didn't detect any stolen personal information abroad.

The company says it discovered the breach on July 29th this year, and has since plugged the security hole. The company also set up a dedicated website — www.equifaxsecurity2017.com — for possible victims to sign up for credit file monitoring and identity theft protection.

Data breaches are fairly common, although those impacting Social Security and driver's license numbers are rarer and more serious. The fact that Social Security numbers are included in the breach makes it likely that victims will be targeted for identity theft. Equifax says it's working with both an independent cybersecurity firm and law enforcement to investigate.

Comments

So they’ve compromised the personal information of almost half of the entire US’s population, and in exchange they’re only offering 1 year of free credit monitoring? I guess identity thieves just need to wait out the year.

And then they’re going to put the burden on the person requesting it to save the information and come back at a separate date.

It’s always such a f@$#ing scam that the resolution to data theft from criminally careless corporations is a one year free trial to worthless credit monitoring services like Equifax – likely the corporation doesn’t even need to pay anything, Equifax is just happy to get suckers on the subscriber lists.

And now they’re doing it for themselves, nice marketing guys.

Rather than taking them up on the credit monitoring offer (or I guess maybe in conjunction with it?), people should consider freezing their accounts at all credit bureaus. Temporarily unfreeze then when you apply for a loan or something, then close ‘em back up.

As mentioned in the link, it’s how Brian Krebs stopped a group of identity thieves from repeatedly opening fraudulent credit cards and loans in his name as payback for shining a spotlight on them.

This is great advice. The extra trouble you might have in legitimate use of your own (e.g. getting a new car loan) is nothing compared to the nightmare you’d face dealing with identity theft.

FYI I just did this on all four and it was easy. It was free on all four.

This cost money though. It sounds like you actually have to have your identity stolen to get this service for free.

There is a one-time fee for each freeze (varies by state; I paid nothing to Equifax and $10 apiece to Experian and TransUnion). Unfreezing/refreezing can also cost money, but over time it’s far cheaper than credit monitoring (~$10-20 a month) and less likely to fail in preventing fraud.

Hijacking my own comment: If you sign up for this, you give up the right to sue them (including any potential class action down the road), and you’re giving them more of your personal information (like your e-mail).

So even this insulting freebie is full of traps.

And they try to upsell you in the process of registering. LOL.

That’s weak shit, when the government lost all my background information, ssn, (probably fingerprints) AT LEAST they gave me ID protection for "not less than 10 years"

This may explain the sudden increase in fraudulent on all of my financial accounts.

really pissed

It will be quite ironic when people get their Equifax credit reports, find abuse from this breach, and then have to go through Equifax’s dispute process to remove it.

Don’t worry, they’ll probably offer a discount on their usual fees for doing this.

Why should this company, which I don’t have an account with and have never worked with, be allowed to have my social security and other valuable personal/private information in the first place?

https://blog.equifax.com/credit/how-do-credit-reporting-agencies-get-their-information/

Everytime you apply for a loan, mortgage, credit card or join a bank or change address it goes on your credit file (held by Equifax).

Equifax inform banks of your credit rating so they can assess if you are credit worthy or how much money they should give you for a loan.

Welcome to the real world

It’s a matter of time before the big 3 credit agencies are disrupted because of their inefficiency and incompetence.

They should have to get your consent directly. There has to be a better way.

The real world… where for profit companies determine your "creditworthiness".

This is infuriating! There needs to be a way to check credit worthiness without letting 3rd parties have permanent access to our sensitive data!

Why would a bank want to take on the enormous task/responsibility of credit-worthiness instead of just paying for the service?

It makes 29 years I work for a major bank. Trust me you would not want a bank taking this task.

Like in Australia where your Tax File Number [akin to a SSN/SIN] is only provided to your employer and banks for the sole purpose tax accountability, and credit reports are performed using your name, date of birth, residential history, and employment history and verification to your current employer via a phone call you must authorise. I ave never understood the requirement in the States to hand our something so important as a SSN to everyone institution that asks.

I think a data breach like will hopefully force us to reevaluate our use of SSNs for everything.

View All Comments
Back to top ↑