
Over 275 days since Equifax’s data breach settlement and no one has been paid - ProAm
https://www.interest.com/personal-finance/275-days-since-equifax-data-breach-settlement/
======
g051051
From the settlement web site:

"The Court gave final approval to the Settlement and overruled all objections
on January 13, 2020. However, some of those that objected to the Settlement
have now appealed the Court’s decision to approve the Settlement. By order of
the Court, the Settlement cannot become final until all appeals are resolved
and there is currently no timeline for the resolution of these appeals. When
the appellate court enters a schedule for the appeal, we will update this
website to provide individuals with more guidance as to the timing of a
decision. Please check back for further updates."

~~~
alteria
iirc, other than writing the Court a letter, this was the other major way to
indicate your displeasure towards the settlement

------
yalogin
Come on now that is not quite true. Some politicians got paid to make this
thing go away with a legislation.

------
markus_zhang
No idea why but I always feel any company dealing with blackbox credit rules
are very fishy...wish there is a way to remove them away from the financial
system.

~~~
317070
EDITED: the below is wrong (as stated by a child comment). There is a
diversity of systems in Europe.

OLD COMMENT: Here's the thing, as far as I know, Europe does not have those
companies. So it definitely should be possible to do without them...

~~~
npstr
That is not true. It is almost impossible to rent a flat in the larger cities
of Germany without showing a positive credit record to the landlords. And
requesting even small credits of a few k will have your credit rating checked
and recorded that such a check happened.

~~~
317070
You are correct, I was unaware of the German case! In fact, it seems that many
European countries do have a credit score system. Some do have other systems:
[https://en.wikipedia.org/wiki/Credit_score#Germany](https://en.wikipedia.org/wiki/Credit_score#Germany)

Here are some countries within Europe who do not have a credit score system:

\- Belgium has no centralised credit score system. However, banks can ask the
Belgian counterpart of the FED for all loans held in your name when you
request a new loan. The national bank keeps a register of all loans.

\- United Kingdom: There is no such thing as a universal credit score or
credit rating in the UK. Each lender will assess potential borrowers on their
own criteria, and these algorithms are effectively trade secrets.

~~~
tmhrtly
As a Brit, I feel I should point out we definitely do have credit ratings. The
three main ratings agencies are Experian, Equifax and TransUnion.

~~~
tialaramex
The Experian Credit Rating Agency actually results historically _from_ what
happened before CRAs existed.

Last century "Mail order" was an exciting new business opportunity. You send
people (mostly housewives) a catalogue explaining what's on offer, and then
they pick items from the catalogue and you deliver them. You can have a much
broader range of products than their local stores, and the catalogue offers a
good way for cautious shoppers to compare options and make a decision at their
leisure.

There was a problem. The customer has no prior relationship to you, but of
course they don't want to pay you for potentially very expensive goods, in
advance, unseen. A local store might know exactly who the customer is, if
that's a nice house or a tiny cottage, what the husband does for a living.
Your mail order catalogue company has no idea.

So you began to just collect observable facts. Mrs Smith still owes you £208
from last year when she bought the dining room set, and hasn't made a payment
on it since January. Mrs Jones on the other hand has paid every penny she
owed, regular as clockwork. So when Mrs Smith tries to order a new frock, you
remind her about the outstanding £208 by return of post - and when Mrs Jones
does you send the frock immediately.

Gradually other new businesses wonder if they might take advantage of this
knowledge. Mrs Jones wants to buy a car, cars are expensive but she'd make
payment every month. The first dealer she visits suggests her husband should
buy it. Mrs Jones doesn't have a husband, and she walks out in disgust, no
sale. But the second dealer has an idea, that mail order catalogue company
might know if Mrs Jones is good for the money. They agree, for a fee, and on
condition that the car dealer tell them if Mrs Jones makes each future payment
on her credit deal, which seems harmless enough.

And one day the catalogue company realises that 80% of its revenue is from
this "Credit Reference" side business of knowing that Mrs Jones is a better
risk than Mrs Smith and the catalogue sales are nice but they aren't really
the same business and needn't be the same company.

If it hadn't already happened last century, today Amazon would be your Credit
Reference Agency, yet another opportunity to enrich Jeff Bezos...

~~~
WhyNotHugo
Really interesting background. I'd not idea this is where it all came from.

It's pretty clear that nowadays with much safer online payments, there's
really no need for these credit checks any more -- you pay online, and if you
get scammed there's solid proof of whom you paid and how much.

------
acklenx
I can't get my [knowledge-based authentication] data back. I don't want their
measly $125 from them (it will cost me far more time and money when this
breach is used against me). I want them to pay the cost for the government to
replace the SSN as an identifier. And to pay for the government give me a new
SSN in the meanwhile... and they don't get to store the new SSN in their
database (because they dun messed up). I think that would be a better outcome
for everyone.

~~~
pas
There's no need for SSN at all.

Everyone is identified by their birth date, the name of their mother and their
birth place. (Their own name is not that important, for example twins can pull
off identity fraud easily, as they can pretend to have the name of their twin,
and how would anyone know!?)

Sure, we can go full 1984 and GATTACA and use biomarkers and papers and
whatever. But that just makes puts many edge cases out of scope, doesn't solve
them at all.

If someone shows up at the bank and claims to be someone, they can produce
documents, either via simple forgery or by stealing someone else's "identity".

They can then pass all the checks the bank runs. (Sure, if there is some
database that says don't open accounts for these IDs, then the scammer can
start with persuading the admins of that DB to unlock the corresponding ID.)

And this will always happen as long as we allow fallbacks for people to get
access to (and create) their accounts after losing (or without creating) a
strong cryptographic key (password).

~~~
bscphil
> birth date, the name of their mother and their birth place

Surely not, there must be a day in which two children were born on the same
day in the same hospital in New York City to two women named Jane Smith?

~~~
Demiurge
I suspect it happens to twins a lot.

~~~
mikegreenberg
I'd wager at least 100% of the time.

------
zaidf
If only the media cared as much about ppl’s super critical data being exposed
as it cares about the privacy of my Facebook Likes.

~~~
dylan604
But does the media even care about that? Or was that the point you were trying
to make?

~~~
drjesusphd
"But _do_ the media..."

Media is a plural noun. To use it incorrectly this way gives credence to
conspiratorial thinking about the press.

~~~
dylan604
Shades of gr[ea]y my friend. If you think of the media as each
broadcaster/publisher it might be plural, but in the conspiratorial sense of
things the "media" is just the propaganda arm of "them". That makes it a
singular thing. QED

~~~
hnick
Depends where you live really. Some places say "the band is performing" and
treat it as a singular, others say "the band are performing" and treat it as a
collection of individuals. I think the latter is more of a UK thing.

------
0xy
The lawyers haven't finished looting the cash. Does anyone even care about the
token amount of cash they're likely to receive?

~~~
gouggoug
It's not about the insignificant amount of money everyone will get out of it;
it's about equifax being severely punished and fined, even though that
settlement won't really change anything.

~~~
whiskeykilo
Exactly. Most people didn't even get picked for payment. I don't want a shitty
monitoring service I want to see Equifax bleed

~~~
chrisseaton
> I want to see Equifax bleed

This seems vindictive. Their behaviour should be corrected and other people
deterred. We shouldn't be calling for blood!

~~~
cmwelsh
What’s wrong with a corporate death sentence in the event of such egregious
mistakes? There must be a severe enough punishment in order for a company’s
risk department to take things seriously.

~~~
WhyNotHugo
Exactly. There's not right and wrong for companies if there's never any _real_
risk.

If people had to just pay a small fine and go on with their lives for
misdeeds, we'd see people hijacking sports cars every day.

------
victorkab
It’s really a loss for consumers across the United States.

The reality is that a large part of the fintech sector still depends on the
data provided by Equifax. Their data is also used for KYC and other security
use cases.

We have started Truework
([https://www.truework.com](https://www.truework.com)) to break that
dependency and give consumers control of their data. If you’re interested to
help us, please contact me by email.

~~~
wl
The Work Number collects payroll information from employers without informing
employees that they turn around and sell that information to third parties.
They mislead people by saying they don't release pay information without
employee authorization while neglecting to mention they sell everything else
without asking permission or giving notification.

It looks like you're doing similar kinds of data collection directly from
employers. If an employee doesn't request income verification or any other
service from you folks, do you collect any data on that employee?

~~~
victorkab
wl, you summarized pretty well how it works indeed :-). A lot of players in
the industry hides behind long legal documents.

In our case we get employee information from your employer but it’s never
shared to third-parties by default. We always go through the process of
notification to the employee before releasing any data and, as an employee,
you can refuse to share that data. The requester is in a holding pattern until
you consent to data sharing.

Hope that helps

~~~
gnu8
Ultimately the purpose of your enterprise to help employers collude to
suppress wages. Please shut it down and disappear. Otherwise I hope you die
toiling in poverty.

------
paulgb
If I remember the settlement details, something like 75 million was for legal
fees.

I bet _they 've_ been paid.

------
nmstoker
Why is the company that had the breach managing the payments? Surely it should
be neutral third party who then just passes on the final bill.

~~~
WhyNotHugo
Yeah, I'm pretty sure that neutral party should be the court.

If I get a fine, I'm sure I can't just wait a few years to pay it with no big
deal behind that.

------
cft
Call me cynical, but when I read the news of the breach I went and bought EFX
call options for 3 months. Because even though I am not sure whether the "deep
state" exists or it's a conspiracy theory, I was somehow confident that I was
making a good investment. It has paid off handsomely indeed.

~~~
echelon
When you buy calls but don't have the capital to exercise those calls, do
brokerage services lend you the money to collect on the gains assuming your
call is in the black?

I have a pretty good stock portfolio, but I haven't dipped my toes into the
call/put, futures, derivatives, "iron condors", etc. world yet.

~~~
cft
In that case you simply sell the call, instead of exercising (assigning) it. I
switched to selling puts instead since then.

~~~
echelon
Are your puts covered? How do you mitigate the risk of the stock going up?

I need to learn a lot more before doing this.

~~~
cft
Yes, puts are covered for now. There are several standardized levels of
account access to buying/selling options. I think selling naked puts requires
Level 5 while selling covered puts requires Level 3. I recommend practicing
buying options first, and selling the options that you have bought, before
selling covered or naked options.

------
rhacker
I think I would have preferred the company be removed of their ability to
collect credit information than any other penalty.

~~~
xfitm3
The US credit system is a bunch of bullshit anyway.

> "Good credit is for poor people" \- words of a wealthy friend.

~~~
winrid
I don't get it. It seems like keeping good credit is easy. Why can't you have
good credit and be wealthy?

~~~
7thaccount
I imagine extremely wealthy people buy everything cash.

~~~
dylan604
Wealthy people don't leave money on the table. If they can earn "free money"
with a credit card point game, then why not?

Some of the cheapest people I know are wealthy. Cheap as in, they negotiate
the hardest for the lowest price, even though it is meaningless to them. I
have been told out right on more than one occasion that it's not about trying
to make something affordable, but more of the shear enjoyment of making
someone else take less just because they can.

~~~
primitivesuave
Second this. When my extremely wealthy CEO overheard I was in the market for a
new vehicle, he happily volunteered to get on the phone and pit 3 local Ford
dealerships against each other in a bidding war for my business. I ended up
saving an additional 12% off what I thought was already a discounted price. I
think a majority of us regular people don't know how to tap into that ruthless
negotiation when buying cars, houses, mattresses, etc.

------
A4ET8a8uTh0
I was hoping that such an egregious case would merit at least an enforced slap
on the wrist. I guess even the talk of insider trading did not change that
outcome. This, along with other recent events, suggests that justice system is
tiered. This does not bode well for the future of the republic.

------
hwc
I want to sue the credit agencies for stalking me.

~~~
dylan604
Would you need to first file a retraining order, or can you just jump straight
into litigation?

~~~
loeg
In America, you can always jump straight to litigation. It doesn't mean you'll
win, and Equifax almost certainly has deeper pockets than you do.

~~~
lotsofpulp
The deeper pockets wouldn’t be the problem. You give permission to financial
institutions to share your data with the credit reporting bureaus, so good
luck fighting that in court.

~~~
dylan604
Do you really give permission/consent, or just accept the fact that you have
no choice in the matter. A guy puts a gun in your face and says give me your
wallet. You're not giving him permission to take your belongings. You're just
doing what you have to do. Yes, I am equating the terms modern financial
systems use as a gun in my face.

------
sunsetMurk
where can I find a good summary/timeline of events of this whole Equifax
breach?

EDIT: googled, reading this[1] now.

1- [https://www.csoonline.com/article/3444488/equifax-data-
breac...](https://www.csoonline.com/article/3444488/equifax-data-breach-faq-
what-happened-who-was-affected-what-was-the-impact.html)

------
gumby
I doubt that headline is really correct: likely the _lawyers_ have some cash
to show for their efforts. Who cares about the actual claimants?

------
willart4food
Have the lawyers been paid?

------
sacman08
In a surprise to no one...

------
basch
The data has never surfaced. I have to wonder if anybody who claims they had
direct identity theft because of the breach automatically loses their claim.

[https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-
the...](https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the-
data.html)

It's interesting that most coverage of the incident ignores that detail. I
guess people really dont like to hear it because it doesnt fit their
narrative. Whatever this interest.com article is, it has very little value. It
reads like seo spam. It doesn't discuss any of the developments in the last
three weeks, such as Chicago, Indiana, Massachusetts all working out
settlements.

~~~
akersten
To be clear, are you saying that in order for a data breach to be considered
legitimate, the plundered data needs to be released publicly?

~~~
jedberg
Part of the claims process for this settlement was stating that you suffered
losses due to the breach.

If they can prove that the data never leaked, then everyone's claim becomes
invalid, because you didn't suffer any losses from the breach.

~~~
akersten
Even if you did not have your identity stolen yet, losses from the breach can
be as simple as "I bought an identity monitoring service due to the breach
_happening_." It says so on the settlement's website:
[https://www.equifaxbreachsettlement.com/](https://www.equifaxbreachsettlement.com/)

"Time Spent during the Extended Claims Period recovering from fraud, identity
theft, or other misuse of your personal information caused by the data breach"

In this case, the "misuse of [my] personal information" is the fact that it
was leaked by Equifax to an unknown third party.

> If they can prove that the data never leaked,

I don't know how this would be possible, considering they announced that it
did leak: "In September of 2017, Equifax announced it experienced a data
breach"

Unless you mean, prove that the data has not been used yet. Which doesn't seem
like a fair stipulation to the ~150 million impacted people. And it also
doesn't seem possible to prove.

~~~
basch
I want to be clear; I am not trying to downplay the severity of this. On the
contrary, it's probably worse. The pretenses under which the settlement were
made, was a faulty understanding of reality. Despite that, it doesnt give me
the moral authority to lie for a piece of the faulty claim.

What I mean by that, is that we were told there was a breach, and that if we
signed up for credit monitoring services we were entitled to money. We were
told to use our time to freeze our accounts. That however, did nothing to
protect us from what actually happened. A nation states military collected the
data. That is arguably worse than it being used by cyber criminals to take out
loans and credit cards. We were given the impression that we needed to protect
ourselves from people opening accounts in our names or using the data to
access accounts. That in no way reflects what risk we are actually exposed to.

Equifax put us in harms way of a MILITARY. Not petty identity theft. How do
you even quantify what kind of threat that is? The settlement doesn't reflect
that. It doesnt mean that despite the settlement not reflecting reality, that
I should go say they owe me $125 dollars for credit monitoring services.
Especially when damn near every bank in the country offers it for free. Tons
and tons of press were saying "if you already have credit monitoring services,
just fill out the form." It doesn't work that way, and because Im not getting
compensated for a Military threat, doesnt make it ok to claim what I am not
entitled to. It doesnt make up for it. There is no way to quantify what the
monetary damage of the threat actually is. There is no way to know how 20 or
30 years down the road it could make travel more dangerous. Just because the
settlement is wrong, doesnt make it right to file a false claim.

If people really did go pay for credit monitoring (not free stuff they signed
up for or already had), or did spend lots of time freezing credit, they do
deserve compensation for time wasted based on equifax giving us the wrong
information. But since I was not harmed in the way they told me I was when
they made the settlement, I shouldnt be ethically entitled to settlement money
dolled out under false pretenses. Two wrongs don't make a right, nor do they
make us whole.

>"Time Spent during the Extended Claims Period recovering from fraud, identity
theft, or other misuse of your personal information caused by the data breach"

If we agree that the data has never left the government that collected it; we
can determine there was no fraud, identity theft, or misuse, then I could not
have spent time "recovering from it." How do you even know how to "recover"
from a military collecting data on you?

>Which doesn't seem like a fair stipulation to the ~150 million impacted
people.

The real victims could be large organizations who are penetrated using the
data to answer security questions or verifications. I still find it unlikely
this data has yet been used in a direct attack against the impacted people.

This all stemmed from me asking if providing false information to a claim
could make you ineligible. I would consider it false information to say "i was
directly attacked and spent time performing recovery actions and had money
stolen from me" due to this breach (as far as we know, nobody has yet had an
incident because of it, and there is no actual way to recover, short of an emp
burst), or to claim that the free credit monitoring I already had counts
towards some kind of time wasted credit. It is my opinion, that the intent of
"Time Spent during the Extended Claims Period recovering from fraud" IMPLIES
there was some kind of fraud that occurred to some people, and that isnt the
case. And the large claims against this settlement are for MONEY LOST due to
direct attacks. Those are the types of settlement claims I am asking if could
be made invalid.

This is what the settlement site says right now.

>If you were impacted by the Equifax data breach, you may seek reimbursement
for valid Out of Pocket losses or Time Spent ( _excluding losses of money and
time associated with freezing or unfreezing credit reports or purchasing
credit monitoring or identity theft protection_ ) incurred during the Extended
Claims Period if you have not received reimbursement for the claimed loss
through other means.

>Out-of-Pocket Losses during the Extended Claims Period resulting from the
data breach up to $20,000.

It is an odd magicians distraction, a ruse of sorts. Their settlement covers
events that didn't occur to anyone, and imply the wrong future risks. Anybody
who applied for this part of the claim gave false information. IF nobody had
true out of pocket losses (excluding credit monitoring or time freezing) there
is no legitimate claim for this part of the settlement. QED.

