I'd love to see the $70B number pan out (though $500 per person is less than the damages, I think) -- Equifax is a $17B company, and would presumably stop existing if that happened.
On the other hand, these things always settle out of court, and Equifax certainly won't settle the suit for more than they're worth.
I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.
Also, I'd love to see a new non-profit website that automated the paperwork.
> I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.
IANAL, but can't you only sue for actual damages not hypothetical damages? According to this [1] your identity with SSN is only worth $30 on the black market. To get $1000 out of them you'd probably need to have your identity actually stolen and prove it was stolen from Equifax.
But then you would have to show $1000 of actual personal damage, which I doubt few if any can, unless you're thinking Equifax will just settle these one after another. But they're just as capable of multiplying out how many of these will have to happen before the losses devastate them like you just did and at some point will actually show up and make you prove your case.
I saw your post about this in the other thread. If anyone wants to work together on this idea, my contact info is in my profile. If someone has a lawyer we can loop in (or is a lawyer), that would be ideal.
If they are out of business, they sell their assets which are office chairs, fax machines, and a giant database with information on everybody. Are you not worried about the sale of that data?
Toyotas negligent practices with regard to software killed at least 2 people. Their developers did not even have a bug tracking system at all. They followed only 6 of 90+ industry standard recommended practices. They lied about the system using error-checking RAM when it actually did not. None of that was enough to get a court to declare them negligent. Equifax will be fully acquitted. If a computer is involved, companies can get away with literally killing people. This is court precedent.
Does anyone have experience with this process and could share some tips, e.g. is it likely to be successful, is it open to non-citizens, how much paperwork are we talking about?
Are you kidding? This is a 100% instant dismissal if it even gets to a judge. The allegations are groundless...the plaintiffs have no knowledge of Equifax's security systems in order to have any sort of standing to make any claims regarding the quality of it.
The sad truth is you can do everything right to the best of your ability and still get hacked. So just the fact that they were hacked isn't sufficient evidence that they were negligent.
NYS Attorney General on the arbitration/rights waiver clause: "This language is unacceptable and unenforceable. My staff has already contacted @Equifax to demand that they remove it."https://twitter.com/AGSchneiderman/status/906195350532304896
Yeah, I'm not sure the arbitration language is applicable here anyway. The claims would arise from Experian's failure to secure their data, not from use of the "Products" offered by TrustedID (namely, the website allowing me to check) or the subject matter of the Terms of Use agreement.
Ok, so credit reporting agency collects sensitive personal and financial data on basically every adult American, loses it to a bunch of criminals and now I have to deal with the consequences?
I looked into credit freezes yesterday. This is really a total scam. You have to _call_ each of the three agencies and pay a fee ($5 to $10) each time. If you need to unfreeze your report to make a legitimate credit application you have to call each of them twice (once to unfreeze and another to freeze) paying fees every time.
Now if you're a paying member (paying a minimum of $15/month to each agency) you can just lock and unlock your credit file on a mobile app (well, three mobile apps and I'm not sure all three support this). It's amazing how convenient things get once they're already extorting you for "credit protection".
This shouldn't even be legal.
Also, if a fraudster defrauds a financial institution with your personally identifiable details, it should be an issue between the agency and the financial institution as you were not a party to this loan. The reporting agency saying you were should be slander.
Financial institutions should be interested in consumers having an easy ability to lock their credit files as it would decrease the number of fraudulent credit applications.
So why can't I have a mobile app (or three) for free that allows me to easily lock and unlock my file or, better yet, to vet every inquiry and approve it or not?
>In the complaint filed in Portland, Ore., federal court, users alleged Equifax was negligent in failing to protect consumer data, choosing to save money instead of spending on technical safeguards that could have stopped the attack.
Doesn't "users" imply that we had a choice in the matter? As if we're Equifax's customers? I feel more like we're victims in this case.
"I checked myself, my wife, you and your brother. To the best of my knowledge none of us have Equifax accounts, but it says they probably got our address & driver's license for all four of us.
I don't want to waste money on LifeLock. What can I do? Just watch my accounts?"
Is Visa, MasterCard, etc. at least partially to blame here for picking a bad solution? My personal ties are not with Equifax, I have no direct means as a consumer to express dissatisfaction. Can I sue Visa? They are they ones (I presume anyway) who did the actual information collection from me, and then it was mishandled.
We need more tools for dealing with data breaches. Things aren't slowing down, and they aren't going to unless something big changes.
I had a problem signing up for a mobile phone contract a while ago. The mobile company eventually told me that Equifax were supplying them with (my) information which was slightly different from what I was saying about myself, so I called up Equifax. To "fix" things, Equifax wanted me to send a notarised copy of my passport to them (at my expense!)
Of course I told them to get lost and just used another mobile provider, but I learned from this episode that all of these consumer services companies share data both ways with these credit checking agencies.
If you've ever opened a bank account or a line of credit you signed something to the effect that you agreed to let your institution share your data with these agencies.
Yeah, I would think so. So far, we've learned that they've exposed virtually everyone's data through their incompetence (thus exposing nearly every adult in the US to a high risk of identity fraud), sold stock to avoid personal financial losses before the news broke, and set up a scam site to trick people into giving up their right to sue.
If this isn't criminal, then nothing is. If someone doesn't go to jail over this, why the hell shouldn't I just go out and commit fraud on a daily basis myself? It seems to be rewarded in our society...
Is it time for a Federal Department of Verifying Whether People Are Who They Say They Are?
Veryifying identity with SSN is broken. The right way is probably more or less how big webapps do it - MFA + a password that the user can reset by providing a bunch of info. The government has the necessary private info to do this in most cases (e.g. DL# plus your income from last year's taxes), and can fall back to "Show up at a police station/DMV/other office and talk to a human" in disputed cases.
I'm sure there are lots of private corporations that would love to be the One True Arbiter of who's who, but none of us would trust them, or want to pay the price. An open source solution (something like Keybase?) seems possible, but not without government backing.
I'm not excited about this class action; If they win, the individual payout will be almost nothing ($10?). The lawyers are the only ones who will really "make out" with 10's of millions in fees.
There is also a disproportionate effect in that a small portion of the 143 million affected will have a large impact, i.e., "identity theft" while most will be unaffected.
I think a fund setup to help those who are directly affected is a better idea. This could be done through government action where penalty proceeds are turned into a fund. In other worse, similar to the BP oil spill in the gulf where the fund helped those who lose income or suffered property damage.
It's a sign of how awful Equifax is that I find myself rooting for the lawfirms in this case. I really hope they win, and that they get the full $70 billion, and that it's enough to shutter Equifax permanently. What a win that would be! Also it would serve as a nice cautionary tale to companies that infosec matters. That insurance for data breaches matters.
Because right now, it's too easy for them to not care. It's us that suffer the consequences, not them. That has to change.
It's time for this draconian type of business service be disrupted. It's gotten too big and unregulated.
We often question monopolistic behavior with regard to market share and competition for physical goods. However we don't see this type of questioning with regard to data monopolies. Hate to say it that while I enjoy the use of Google and Facebook, they may also fall into this arena. Though with those companies at least an order of magnitude worth of effort MORE is expended on some form of heightened security, communication, and standards primary thru tertiary of their core offering.
To be honest, I feel bad for the engineering team at Equifax. The vulnerability that compromised their system was a bug in an open-source Java library, Apache Struts, and security researchers only noticed it a few days ago. It seems that the Equifax team had very little time to react and update their software. In some sense, I feel that more blame should be placed on the engineers who built the highly popular open-source software, not the Equifax team. Some large number of Fortune 100 companies also experienced the same vulnerability simply because they trusted a widely used library.
Makes me wary of trusting other big OS libraries, but since rebuilding every part of the stack from scratch is infeasible and unproductive, we don't have much choice but to use them.
Technical announcement:
Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805):
Consider the possibility that the hackers were agents of a sovereign power, such as one who has been hurt by economic sanctions and has a history of cyber warfare. This state could decide to respond to US economic aggression by using the compromised information of hundreds of millions of Americans to engage in fraudulent activity.
This event is leading me to about how social security numbers can no longer serve the role that they have with
establishing trust in identity, although they can continue to be used to uniquely identify a US citizen. This hack may
push markets, and government, to widely adopt biometrics and other sensitive, personally identifiable information.
What won't happen, unfortunately, is the political will to regulate how uniquely identifiable personal information is managed and stored.
Suppose that rather than Equifax, Facebook were hacked. What kind of intelligence and reports does Facebook have on people that would eclipse that of social security numbers and credit history?
So everybody has been talking about "freezing" your Equifax account for a little bit of protection... Well it turns out the Equifax security freeze PIN (which is all the "secret" info an attacker needs to unfreeze it) is just the date & time: MMDDYYHHMM! https://mobile.twitter.com/webster/status/906346071210778625
My hope is that this opens a larger discussion on the business practices of these credit bureaus, the kind of data they collect, and ultimately their harm to the public good.
As far as I'm concerned, they stole my data first, then they packaged it up neatly and gave it to shady persons.
Yes, I'm aware that I "consented" to their collection of my data when I signed up for a credit card, or a car loan, but it's not a system you can realistically opt out of. If I want to rent an apartment or, sometimes, even get a job, I need to consent to a credit pull, so I need to have a positive credit history.
So, we have a private sector monopoly that I am coerced to give my data to, for free, to function in society. Seems like a good business to be in, but as an outsider I'd like to see something drastic happen. Perhaps nationalization, or breaking up of the big three with deep regulation.
I have said for years this credit controlling triopoly needs to be shut down and replace with something less disgusting. Ever tried to fix a mistake they made in your credit report? You may as well be dealing with the Spanish Inquisition. There is no penalty for Cxx's who perpetuate inept security to make more money so security is always job #99. These folks seem to have cornered the market on ineptness. I doubt any lawsuit will make them do anything different.
It's always seemed odd to me that Experian and Equifax have the upside of being both arbitrarily in charge of so much data and wield ridiculous power, and yet somehow they're still largely independent and profit making.
I'll watch the outcome of this breach with interest. It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.
As others have rightly pointed out, they even have the audacity to call us customers. Like somehow we turned 18 and signed up for their service. I certainly didn't, and it annoys me that a company whom I have no control over can make or break my credit history.
The US has an adult population(who would hence have credit profiles) of 245 million people. At 143 million, this breach affects more than half of the adult population. Given this, the majority of credit rating systems of the US has been compromised. Isn't this enough that the whole "social security number as a master key" system has to be dismantled? How can it be trusted now?
There is no way to opt out of having your data collected and sold by Equifax, Experian, TransUnion. The power these companies have over US citizens is incredible.
Anyone that's ever tried to remove incorrect data on their credit report knows how painful it is to deal with these companies. Despite dealing and brokering in electronic data to buyers of your credit profile, your interactions with them as a consumer can only occur via paper mail and mailing letters which means weeks or even months for basic communication. They operate like thugs. I hope this is the end of them and by extension the other two agencies as well.
Coordinating the response here is the key part here, but "massive number of suits in small-claims court" is probably better for threatening Equifax with an existential legal threat.
Equifax employs about 10,000 people worldwide. A million small-claims cases has each Equifax employee handling 100 small-claims cases. I don't think they can handle that level of distributed legal aggression. It just takes too much time by too many people, especially if people refuse to settle for anything less than $1000.
Probably the best way to crowdsource it is to go through the process yourself, write a step-by-step guide to what you did, and post the results on social media.
The super fucked up part is that it automatically signs you up for their "Credit protection" if you use their site to see if you were impacted. Doesn't ask if you'd like to, just says "Thanks for signing up, your year starts now!"
Actually, since I'm affected, I got a different message. It's even worse.
They gave me a date in September that I have to remember to come back and sign up for. It's the equivalent of grabbing a ticket in the deli line.
Look at this text:
"Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process".
That's enraging. You tell me I'm affected and now I have to come back at some date/time and sign up? At least it has given me the time to read all the comments about waiving class action participation.
Even worse, you agree to arbitration in case of disputes waiving your rights to sue..not sure if even enforceable.
You can check if you're impacted then just not proceed to click "enroll" and be able to check without auto-enrolling and agreeing to their 1yr protection + arbitration agreement.
Suppose each person affected has to spend an hour protecting themselves from this breach. The cost in wasted time would be 16,313 years.
It's high time to set an example. Equifax should no longer exist as a company. People responsible should end up in jail. Company executives should be held personally liable. Some would claim it is unfair, but the only way to keep this from happening again and again is for those responsible to face serious consequences.
[+] [-] hedora|8 years ago|reply
On the other hand, these things always settle out of court, and Equifax certainly won't settle the suit for more than they're worth.
I said it elsewhere, but I think the right response is to opt out of the class, and sue for $1000 in small claims court. If ~15% of the class does this, they are out of business, and lawyers don't get a dime of the $1000.
Also, I'd love to see a new non-profit website that automated the paperwork.
[+] [-] billh|8 years ago|reply
[+] [-] Chaebixi|8 years ago|reply
IANAL, but can't you only sue for actual damages not hypothetical damages? According to this [1] your identity with SSN is only worth $30 on the black market. To get $1000 out of them you'd probably need to have your identity actually stolen and prove it was stolen from Equifax.
[1] http://www.bankrate.com/finance/credit/what-your-identity-is...
[+] [-] lr4444lr|8 years ago|reply
[+] [-] xur17|8 years ago|reply
[+] [-] ovao|8 years ago|reply
[+] [-] criddell|8 years ago|reply
[+] [-] otakucode|8 years ago|reply
[+] [-] mlrtime|8 years ago|reply
[+] [-] pgnas|8 years ago|reply
[+] [-] stcredzero|8 years ago|reply
There's usually no enforcement of penalties in small claims court.
[+] [-] nashashmi|8 years ago|reply
I don't know where else they get their revenue from, but free credit protection will hurt them significantly in the long run.
[+] [-] ethanwillis|8 years ago|reply
[+] [-] IgorPartola|8 years ago|reply
[+] [-] clamprecht|8 years ago|reply
[+] [-] philipps|8 years ago|reply
[+] [-] joshdance|8 years ago|reply
[+] [-] desireco42|8 years ago|reply
[+] [-] sjg007|8 years ago|reply
[+] [-] flippyhead|8 years ago|reply
[+] [-] g051051|8 years ago|reply
The sad truth is you can do everything right to the best of your ability and still get hacked. So just the fact that they were hacked isn't sufficient evidence that they were negligent.
[+] [-] runesoerensen|8 years ago|reply
Also: "I am launching a formal investigation into the #Equifax breach. Today, I sent a letter to @Equifax seeking additional information." https://twitter.com/AGSchneiderman/status/906197644841766912
[+] [-] hcurtiss|8 years ago|reply
[+] [-] cletus|8 years ago|reply
I looked into credit freezes yesterday. This is really a total scam. You have to _call_ each of the three agencies and pay a fee ($5 to $10) each time. If you need to unfreeze your report to make a legitimate credit application you have to call each of them twice (once to unfreeze and another to freeze) paying fees every time.
Now if you're a paying member (paying a minimum of $15/month to each agency) you can just lock and unlock your credit file on a mobile app (well, three mobile apps and I'm not sure all three support this). It's amazing how convenient things get once they're already extorting you for "credit protection".
This shouldn't even be legal.
Also, if a fraudster defrauds a financial institution with your personally identifiable details, it should be an issue between the agency and the financial institution as you were not a party to this loan. The reporting agency saying you were should be slander.
Financial institutions should be interested in consumers having an easy ability to lock their credit files as it would decrease the number of fraudulent credit applications.
So why can't I have a mobile app (or three) for free that allows me to easily lock and unlock my file or, better yet, to vet every inquiry and approve it or not?
[+] [-] eduren|8 years ago|reply
Doesn't "users" imply that we had a choice in the matter? As if we're Equifax's customers? I feel more like we're victims in this case.
[+] [-] Taek|8 years ago|reply
"I checked myself, my wife, you and your brother. To the best of my knowledge none of us have Equifax accounts, but it says they probably got our address & driver's license for all four of us.
I don't want to waste money on LifeLock. What can I do? Just watch my accounts?"
Is Visa, MasterCard, etc. at least partially to blame here for picking a bad solution? My personal ties are not with Equifax, I have no direct means as a consumer to express dissatisfaction. Can I sue Visa? They are they ones (I presume anyway) who did the actual information collection from me, and then it was mishandled.
We need more tools for dealing with data breaches. Things aren't slowing down, and they aren't going to unless something big changes.
[+] [-] rwmj|8 years ago|reply
Of course I told them to get lost and just used another mobile provider, but I learned from this episode that all of these consumer services companies share data both ways with these credit checking agencies.
[+] [-] flatline|8 years ago|reply
[+] [-] privaroonie|8 years ago|reply
If this isn't criminal, then nothing is. If someone doesn't go to jail over this, why the hell shouldn't I just go out and commit fraud on a daily basis myself? It seems to be rewarded in our society...
[+] [-] ineptech|8 years ago|reply
Veryifying identity with SSN is broken. The right way is probably more or less how big webapps do it - MFA + a password that the user can reset by providing a bunch of info. The government has the necessary private info to do this in most cases (e.g. DL# plus your income from last year's taxes), and can fall back to "Show up at a police station/DMV/other office and talk to a human" in disputed cases.
I'm sure there are lots of private corporations that would love to be the One True Arbiter of who's who, but none of us would trust them, or want to pay the price. An open source solution (something like Keybase?) seems possible, but not without government backing.
[+] [-] redm|8 years ago|reply
There is also a disproportionate effect in that a small portion of the 143 million affected will have a large impact, i.e., "identity theft" while most will be unaffected.
I think a fund setup to help those who are directly affected is a better idea. This could be done through government action where penalty proceeds are turned into a fund. In other worse, similar to the BP oil spill in the gulf where the fund helped those who lose income or suffered property damage.
[+] [-] eloff|8 years ago|reply
Because right now, it's too easy for them to not care. It's us that suffer the consequences, not them. That has to change.
[+] [-] jjm|8 years ago|reply
We often question monopolistic behavior with regard to market share and competition for physical goods. However we don't see this type of questioning with regard to data monopolies. Hate to say it that while I enjoy the use of Google and Facebook, they may also fall into this arena. Though with those companies at least an order of magnitude worth of effort MORE is expended on some form of heightened security, communication, and standards primary thru tertiary of their core offering.
[+] [-] cliffcrosland|8 years ago|reply
Makes me wary of trusting other big OS libraries, but since rebuilding every part of the stack from scratch is infeasible and unproductive, we don't have much choice but to use them.
Technical announcement:
Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805):
https://lgtm.com/blog/apache_struts_CVE-2017-9805_announceme...
[+] [-] Dowwie|8 years ago|reply
This event is leading me to about how social security numbers can no longer serve the role that they have with establishing trust in identity, although they can continue to be used to uniquely identify a US citizen. This hack may push markets, and government, to widely adopt biometrics and other sensitive, personally identifiable information.
What won't happen, unfortunately, is the political will to regulate how uniquely identifiable personal information is managed and stored.
Suppose that rather than Equifax, Facebook were hacked. What kind of intelligence and reports does Facebook have on people that would eclipse that of social security numbers and credit history?
[+] [-] mrb|8 years ago|reply
[+] [-] rangersanger|8 years ago|reply
As far as I'm concerned, they stole my data first, then they packaged it up neatly and gave it to shady persons.
Yes, I'm aware that I "consented" to their collection of my data when I signed up for a credit card, or a car loan, but it's not a system you can realistically opt out of. If I want to rent an apartment or, sometimes, even get a job, I need to consent to a credit pull, so I need to have a positive credit history.
So, we have a private sector monopoly that I am coerced to give my data to, for free, to function in society. Seems like a good business to be in, but as an outsider I'd like to see something drastic happen. Perhaps nationalization, or breaking up of the big three with deep regulation.
*edited to add omitted "three" in last sentence.
[+] [-] coldcode|8 years ago|reply
[+] [-] simonswords82|8 years ago|reply
I'll watch the outcome of this breach with interest. It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.
As others have rightly pointed out, they even have the audacity to call us customers. Like somehow we turned 18 and signed up for their service. I certainly didn't, and it annoys me that a company whom I have no control over can make or break my credit history.
[+] [-] bogomipz|8 years ago|reply
There is no way to opt out of having your data collected and sold by Equifax, Experian, TransUnion. The power these companies have over US citizens is incredible.
Anyone that's ever tried to remove incorrect data on their credit report knows how painful it is to deal with these companies. Despite dealing and brokering in electronic data to buyers of your credit profile, your interactions with them as a consumer can only occur via paper mail and mailing letters which means weeks or even months for basic communication. They operate like thugs. I hope this is the end of them and by extension the other two agencies as well.
[+] [-] ThrustVectoring|8 years ago|reply
Equifax employs about 10,000 people worldwide. A million small-claims cases has each Equifax employee handling 100 small-claims cases. I don't think they can handle that level of distributed legal aggression. It just takes too much time by too many people, especially if people refuse to settle for anything less than $1000.
Probably the best way to crowdsource it is to go through the process yourself, write a step-by-step guide to what you did, and post the results on social media.
[+] [-] atom_enger|8 years ago|reply
[+] [-] thieving_magpie|8 years ago|reply
They gave me a date in September that I have to remember to come back and sign up for. It's the equivalent of grabbing a ticket in the deli line.
Look at this text: "Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process".
That's enraging. You tell me I'm affected and now I have to come back at some date/time and sign up? At least it has given me the time to read all the comments about waiving class action participation.
[+] [-] lsmarigo|8 years ago|reply
You can check if you're impacted then just not proceed to click "enroll" and be able to check without auto-enrolling and agreeing to their 1yr protection + arbitration agreement.
[+] [-] java_script|8 years ago|reply
[+] [-] quadyeast|8 years ago|reply
... Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.
[+] [-] samstave|8 years ago|reply
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] bishnu|8 years ago|reply
https://techcrunch.com/2017/09/07/i-called-equifax-to-find-o...
No idea how ironclad such a clause would be,k though.
[+] [-] whyenot|8 years ago|reply
It's high time to set an example. Equifax should no longer exist as a company. People responsible should end up in jail. Company executives should be held personally liable. Some would claim it is unfair, but the only way to keep this from happening again and again is for those responsible to face serious consequences.