It would become a legendary case study if this site turned out to be an information phishing site. (This one is legit but I expect it to happen someday. I'm surprised it hasn't already.)
After all this site links to the law firm JND, but nowhere does JND mention this site. So any of us could have made this site.
Use the form below to find out if your information was impacted and if you are a class member.
Its somewhat of an unsolved problem, there's all sorts of these kind of sites that are legitimate but look really suspicious, like they could be phishing sites. Examples:
However, I can see how some people wouldn't think to go through .gov sites and there's really nothing stopping me from registering a phishing site with a similar domain and hosting it in Russia or something to confuse people into using mine rather than the official one.
I think freecreditscore.com has been confused with annualcreditreport.com in the past. Freecreditscore.com is owned by Experian now and it actually does offer a real free no strings attached credit score NOW, but in the past it used to be one of those sites that tricked you into signing up for a subscription.
Then, of course, there was the Equifax data breach site that totally looked like a phishing site.
Your comment inspired me to take a look. I compared the SSL certificate and the whois information to equifax.com. The settlement site uses a different company for the certificate. The settlement site uses Starfield Technologies vs DigiCert for equifax.com. The settlement site uses GoDaddy for their DNS vs UltraDNS for equifax.com. It's not impossible that a division in the company or a different law firm uses different SSL certificate provider and DNS provider, but it may point to some caution.
Edit: As another commenter pointed out, this site is linked to from the FTC site about the breach.
You think they would have learned since the breach. Right after the breach was disclosed they made their information page equifaxsecurity2017.com. It had the same prompt for last name and last digits of the visitor's SSN. Then just said something along the lines of ~"Thanks for the information, we'll have more details later".
In Quebec we recently had a massive information leak from Desjardins, a credit union used by most of the population. It didn't take long for people to receive phishing SMS trying to get information from people.
I don't want money. I don't want free service. I don't want any compensation.
I want Equifax as a company to be dissolved for incompetency with private data, and I want a way to legally opt out of other such companies collecting and aggregating private data about me.
> I want Equifax as a company to be dissolved for incompetency with private data
I want the system to be changed such that the burden of proof is on the lender that they actually interacted with the person they claimed they did. That is, if someone who is not you uses your information to get a credit card, then the bank loses their money for not following due diligence.
> I want a way to legally opt out of other such companies collecting and aggregating private data about me.
Compare a desire to legally opt out (after checking a box, agreeing to a privacy policy you never read, having your data from 10 years ago - with a chain of custody/dispersal that's probably untenable, if not impossible, to map by now - synthesized by a third party) to GDPR's concept of consent:
"The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent."
5-second glance at the the stuff in the <head> shows pixels for: Google Ads, Facebook, Twitter, a bunch of other slimy stuff.
What the actual F. Who does that?
Edit: also, no content security policy, no subresource integrity for 3rd party scripts. Is there such a thing as filing a class action against the party handling the class action? This is downright irresponsible.
Edit: I see a couple of the 3rd party scripts have integrity, but most don't.
What he’s saying is that even if www.equifaxbreachsettlement.com isn’t using the 5 digits of your SSN for nefarious purposes, Google Ads, Facebook, Twitter, and other slimy companies are collecting this data. Even if FB, Twitter, Google et al aren’t using this data, it might be available to marketers who use these Ad platforms.
Please correct me if my explanation of the parent comment is wrong here.
I'm pretty sure you don't have a legal claim against a site because it doesn't use subresource integrity. Three quarters of the internet could be sued. Now if the company handling the claims _also_ loses your data, then maybe you'd have a shot at a case.
Note that many free credit monitoring services exist, and most credit cards nowadays have this feature available. These qualify you for the $125 payout.
Up to 10 hours effort ($250) can be claimed without documentation, for time spent battling or preventing ID theft. Preventing is probably key here, and could cover a lot of activities.
If this breach affected 147M people (which is what I can find from various articles), and $700M was set aside (before attorney fees), and most claims will be $125, that's only ~4M people who will get $125.
Are they expecting very few people to file claims? Or what am I missing?
They can keep the $125 (although, I wish I could direct it to a charity). I don't want to submit all of this information to an entity who's data security is probably worse (hard to believe) than Equifax!
If you have any basic credit card, you probably have credit monitoring. It's included with most cards. Like, for example, my basic free Capital One card comes with free credit monitoring with CreditWise, which counts for this context.
Step 2, you can self certify up to 10 hours how much time you've spent on prevention or dealing with ID theft. That's $250. And if you can prove it with documentation, an additional 10 hours, for a total of $500.
The theoretical argument is that you should only be compensated for damages and incurred costs. If your information is leaked but no one used it, arguably there are no demonstrable damages. If you didn't purchase credit monitoring, you didn't incur any costs.
I'm feeling a bit cynical, and I wonder if this will bring real changes? I happen to have a good friend at ReliaQuest, so I know that, after the data theft, Equifax hired ReliaQuest, and has slowly expanded that contract, giving more and more responsibility to ReliaQuest. My friend is an awesome engineer and ReliaQuest is a very good outfit, but still, I'm frustrated by the idea that the CEO of Equifax can simply outsource security and then not think about it any more. For companies that hold people's most sensitive data, I'd like the top person to be obsessed with security 24 hours a day. I wrote about this previously:
"If a company handles people’s sensitive financial data, then I would like the CEO to be the type of person who wakes up in the morning thinking about security, goes to sleep at night thinking about security, and never has security far from their mind during the day. So to hire a security company, and then act as if security is a solved problem, is troubling. There are many other ways for a company to be hacked. Social engineering is a danger, and most company hacks are inside jobs. Hiring a firm such as ReliaQuest does not protect you from having one of your own employees steal data and sell it to the Russians. Protecting against internal attacks requires hard thinking by the top leadership of the company. The job can not be outsourced."
No. A CEO runs every aspect of a business. While it might be a bad call outsourcing everything, they obviously want expertise rather than having to either rely on their current team that fucked up (which would be viewed as negative), or take some time to hire new people. Hiring new people takes time & isn’t reactionary. Everyone will want them to be seen to be doing something. Hiring an external company is possibly the best short term thing they could do.
I completed the request with specified damages from the breach. I recently received a letter saying my claim was denied as I had "failed to mail the documentation," however, there was no notice on the webform that I completed that required mailing the documentation.
You can only claim the $125 cash if you affirm that you're already paying for credit monitoring. While I don't expect anyone to confirm your claim, you do have to sign your name to a legal document stating as much. You can make additional compensation claims if you suffered actual damage or spent time dealing with the breach, but as I could not honestly claim such, I don't know what that part of the process entails.
“Class Counsel will ask the Court to award them attorneys’ fees of up to $77,500,000 and reimbursement for costs and expenses up to $3,000,000 to be paid from the Consumer Restitution Fund.”
[+] [-] simonsarris|6 years ago|reply
After all this site links to the law firm JND, but nowhere does JND mention this site. So any of us could have made this site.
Use the form below to find out if your information was impacted and if you are a class member.
Last Name _______
Last 6 Digits of Social Security Number ________
[+] [-] Zombieball|6 years ago|reply
https://www.google.ca/amp/s/www.nytimes.com/2017/09/20/busin...
[+] [-] astura|6 years ago|reply
https://www.annualcreditreport.com/
https://www.optoutprescreen.com/
You can tell these two are legit because they are listed on official government sites:
https://www.ftc.gov/faq/consumer-protection/get-my-free-cred...
https://www.consumer.ftc.gov/articles/0262-stopping-unsolici...
However, I can see how some people wouldn't think to go through .gov sites and there's really nothing stopping me from registering a phishing site with a similar domain and hosting it in Russia or something to confuse people into using mine rather than the official one.
I think freecreditscore.com has been confused with annualcreditreport.com in the past. Freecreditscore.com is owned by Experian now and it actually does offer a real free no strings attached credit score NOW, but in the past it used to be one of those sites that tricked you into signing up for a subscription.
Then, of course, there was the Equifax data breach site that totally looked like a phishing site.
[+] [-] moonlighter|6 years ago|reply
https://www.ftc.gov/enforcement/cases-proceedings/refunds/eq...
[+] [-] jwp23|6 years ago|reply
Edit: As another commenter pointed out, this site is linked to from the FTC site about the breach.
[+] [-] caymanjim|6 years ago|reply
https://www.ftc.gov/enforcement/cases-proceedings/refunds/eq...
[+] [-] chpwssn|6 years ago|reply
[+] [-] jcsnv|6 years ago|reply
[+] [-] dwild|6 years ago|reply
It's not exactly the same, but work the same way.
[+] [-] _bxg1|6 years ago|reply
[+] [-] acomjean|6 years ago|reply
>I just entered "Smith" and 6 digits. (Not real) I was eligible.
[+] [-] Vordimous|6 years ago|reply
[+] [-] espeed|6 years ago|reply
[+] [-] partiallypro|6 years ago|reply
[+] [-] foxc|6 years ago|reply
[+] [-] soulofmischief|6 years ago|reply
I want Equifax as a company to be dissolved for incompetency with private data, and I want a way to legally opt out of other such companies collecting and aggregating private data about me.
[+] [-] u801e|6 years ago|reply
I want the system to be changed such that the burden of proof is on the lender that they actually interacted with the person they claimed they did. That is, if someone who is not you uses your information to get a credit card, then the bank loses their money for not following due diligence.
[+] [-] tony|6 years ago|reply
Compare a desire to legally opt out (after checking a box, agreeing to a privacy policy you never read, having your data from 10 years ago - with a chain of custody/dispersal that's probably untenable, if not impossible, to map by now - synthesized by a third party) to GDPR's concept of consent:
"The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent."
Source: https://ico.org.uk/for-organisations/guide-to-data-protectio...
[+] [-] simonebrunozzi|6 years ago|reply
[+] [-] scottydelta|6 years ago|reply
this is what I want too at the end of the day.
[+] [-] swalsh|6 years ago|reply
The problem is this also means you will be completely opting out of the credit system. No more morgtgages, no more credit cards, no more car loans.
I'm afraid it's kind of a necessary evil.
[+] [-] kd5bjo|6 years ago|reply
[+] [-] dccoolgai|6 years ago|reply
What the actual F. Who does that?
Edit: also, no content security policy, no subresource integrity for 3rd party scripts. Is there such a thing as filing a class action against the party handling the class action? This is downright irresponsible.
Edit: I see a couple of the 3rd party scripts have integrity, but most don't.
[+] [-] webninja|6 years ago|reply
Please correct me if my explanation of the parent comment is wrong here.
[+] [-] cddotdotslash|6 years ago|reply
[+] [-] mNovak|6 years ago|reply
Note that many free credit monitoring services exist, and most credit cards nowadays have this feature available. These qualify you for the $125 payout.
Up to 10 hours effort ($250) can be claimed without documentation, for time spent battling or preventing ID theft. Preventing is probably key here, and could cover a lot of activities.
[+] [-] lotsofpulp|6 years ago|reply
[+] [-] ceejayoz|6 years ago|reply
Yup. Reading news about the breach. Researching credit monitoring options. etc.
[+] [-] jammygit|6 years ago|reply
https://blog.legalist.com/i-won-8-000-from-equifax-in-small-...
an update about winning the appeal afterwards (edit: apparently they got it reduced to $5500):
https://blog.legalist.com/i-fought-equifaxs-lawyer-in-court-...
[+] [-] aaronmid|6 years ago|reply
It's mentioned in the FTC site.
[+] [-] jbredeche|6 years ago|reply
Are they expecting very few people to file claims? Or what am I missing?
[+] [-] lr|6 years ago|reply
[+] [-] discreditable|6 years ago|reply
[+] [-] bluetidepro|6 years ago|reply
[+] [-] cmurf|6 years ago|reply
[+] [-] TAForObvReasons|6 years ago|reply
[+] [-] basch|6 years ago|reply
Significant other has mint, credit karma, different credit union, boa, cap one.
[+] [-] toomuchtodo|6 years ago|reply
[1] https://www.reddit.com/r/personalfinance/comments/ch9tcj/cla...
[+] [-] lkrubner|6 years ago|reply
"If a company handles people’s sensitive financial data, then I would like the CEO to be the type of person who wakes up in the morning thinking about security, goes to sleep at night thinking about security, and never has security far from their mind during the day. So to hire a security company, and then act as if security is a solved problem, is troubling. There are many other ways for a company to be hacked. Social engineering is a danger, and most company hacks are inside jobs. Hiring a firm such as ReliaQuest does not protect you from having one of your own employees steal data and sell it to the Russians. Protecting against internal attacks requires hard thinking by the top leadership of the company. The job can not be outsourced."
http://www.smashcompany.com/business/if-a-company-is-serious...
[+] [-] trollied|6 years ago|reply
[+] [-] hnruss|6 years ago|reply
[+] [-] gouggoug|6 years ago|reply
[+] [-] rednerrus|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] non-prophet|6 years ago|reply
[+] [-] rdl|6 years ago|reply
[+] [-] caymanjim|6 years ago|reply
[+] [-] OkGoDoIt|6 years ago|reply
The lawyers are the real winner here.
[+] [-] eloff|6 years ago|reply
[+] [-] ausjke|6 years ago|reply
if SSN/birthdate/name is gone, then anyone can fake me online, apply credit card under my name.
am I missing something? what was stolen from me?
so yes I can say I worried for 10+ hours and Equifax will pay me $250 no questions asked, but this is not exactly what I want to have.