
No matter what, Equifax may tell you you’ve been impacted by the hack - zeep
https://techcrunch.com/2017/09/08/psa-no-matter-what-you-write-equifax-may-tell-you-youve-been-impacted-by-the-hack/?ncid=mobilenavtrend
======
calvinbhai
So, this basically is a way for Equifax to get a mass waiver from people to
make a class action lawsuit less damaging to the company. Opting out of the
waiver is a long winded process of mailing a form. another funny thing is that
if you sign up for their crappy product, you have to come back on a different
day and complete the sign up. There wont be emails or notifications. If you
forget to signup, then you have basically waived your rights to sue to
company.

For every SSN entered, Equifax can say in a class action lawsuit that they
have waivers from all the following SSNs ....

IANAL, but this looks like a sensible strategy for Equifax to save itself
after screwing with people's SSNs and personal info.

~~~
paulgb
> Opting out of the waiver is a long winded process of mailing a form.

I freaking hate tactics like this, so I am offering to go through the mailing
process for anyone who fills out the form at
[https://unarbitrate.org/](https://unarbitrate.org/). I'll pay to mail it,
just because I hate this sort of thing. If you don't trust me with your data,
the site also provides a way to print it and mail it yourself. But whatever it
takes, I encourage everyone to opt out of this; you have nothing to gain by
giving up these rights.

(I've submitted it to HN as well:
[https://news.ycombinator.com/item?id=15207151](https://news.ycombinator.com/item?id=15207151))

~~~
nateweiss
Let me know if you'd like a contribution to cover postage for people.

~~~
paulgb
Thanks, I appreciate the support! I'll let you know if it comes to that; so
far I have some money set aside and I should be able to keep costs under
control by bundling them into one envelope.

~~~
KGIII
It's going to take more than an envelope, if your site gains legs. There is
also the expense of printing and shipping. Paper is heavy. You mentioned the
idea of delivering them in person, you may wish to get some press and legal
council.

Reach out, should you need financial assistance.

------
randyrand
considering all this information has been leaked, how on earth would they
expect the people entering in their credentials to be the actual people who
own the SSN!

with regards to giving up their right to class action

------
Kiro
In Sweden your social security number is public information. What's the reason
for it being private in the US? Sounds like a horrible thing to rely on for
security anyway.

~~~
Avshalom
Well I mean, what it comes down to is you need someway of establing that it's
actually you over a phone or Internet and you can assume that an equifax-
equivalent would be storing that info regardless of exactly what it is in
Sweden.

~~~
literallycancer
>Well I mean, what it comes down to is you need someway of establing that it's
actually you over a phone or Internet

Why do you need that exactly? If you are selling something, it's quite simple:
if you receive the money, you provide the service -- if not, you don't.

The payment processor can use 2FA (this is actually done by a number of banks
in Europe, when you enter the payment information, you get a text message with
a code from your bank to confirm the transaction).

~~~
tonyztan
> The payment processor can use 2FA (this is actually done by a number of
> banks in Europe, when you enter the payment information, you get a text
> message with a code from your bank to confirm the transaction).

I think 3-D Secure is the protocol they use.

[https://en.wikipedia.org/wiki/3-D_Secure](https://en.wikipedia.org/wiki/3-D_Secure)

------
notyourday
So basically Equifax now is engaging in fraud on massive scale. It needs to be
dealt with the same way as we dealt with this company called Arthur Anderson.

~~~
tomrod
Allow them to rebrand?

~~~
zwerdlds
Hey now. Accenture is a totally different company. They have reliable analysts
who do good work.

/s

~~~
hypercluster
Ha interesting, didn't know of Accenture's history.

------
fastball
This isn't a very rigorous test, and TC's assertion that this may be random is
probably untrue given that the results seem to be consistent if you enter the
same details multiple times. The idea that Equifax has implemented a random
yet deterministic checking system seems beyond the pail of belief.

If I had to guess, I would say that Equifax is not checking against a list of
people that they know are compromised, but rather against a list that they
know __have NOT been compromised __. So if you check a name, and it _is in
Equifax 's database AND it is known to be uncompromised_, you get back a "you
are safe message". For everyone else they give a generic "you _maybe_ were
effected", emphasis on the "maybe".

Obviously a fictional person with fictional details is not going to be in
Equifax's database, so they would just throw the generic maybe message.

~~~
sulam
I have 5 and 7 yr old girls. To the degree that either exists with respect to
the finance industry, they both exist. Neither has credit, obviously, or any
interactions with a credit agency. The only people who have their SSNs are the
federal government and our health care provider, which has some very strict
laws about what they can do with _any_ data they have.

Equifax says the 7-yr old "may" have been affected. The 5 yr old comes back
clean.

This sure looks scammy.

~~~
ams6110
Sadly, "very strict laws" don't have much ability to prevent data breaches due
to zero-days or simple incompetence.

~~~
sulam
Sure, but they didn't give data to a credit agency. That would require
consent, and even if you assume they ignored HIPAA, if they'd done it for one
daughter they'd have done it for both.

------
hpcjoe
I will be blunt, and I am very incensed by this.

My comments ...
[https://twitter.com/hpcjoe/status/906549917509980160](https://twitter.com/hpcjoe/status/906549917509980160)

This is an extinction level event for Equifax. They need to be disassembled,
their stored data destroyed correctly and securely, their negligent officers
charged.

This isn't an accident. You don't surface _0.134 BILLION_ bits of PII without
some sort of criminal level incompetence.

Any organization that uses Equifax data in any decision making process needs
to be held accountable, as there may have been earlier intrusions also
undiscovered, that have altered. Which, if they then choose to use them in any
decision process whatsoever, brings them liability for misuse of possibly
tampered with data.

I am quite serious when I say that Equifax should cease to exist as a result
of this. All others should be audited for security, and audited hard.

Again, not being hyperbolic. But quite direct, with appropriate levels of
anger at Equifax.

~~~
latch
Every generation is galvanized by serious injustices. But, it _feels_ like
we're far less effective at turning that anger into change; though maybe
that's always how it feels at the time.

I'm almost sure I once saw a quote from Bill Clinton's press secretary that
said something like "We knew that if we could survive the first 5 days of a
bad story, it would get dropped."

That perspective solidified for me during the Occupy Movement. Granted, it
lasted much longer than 5 days, but ultimately, what of it? The FBI didn't
investigate the bankers, it investigated the protesters.

You see it with Flint. You see it with Climate Change.

I've always been politically apathetic. Moreso as a foreigner where I
recognize that living in a foreign country is a privilege, not a right. Plus
I'm a cynical person (not a healthy habit). Which means that whenever I hear
about "boycotts", or "writing to your representative", or "held criminally
responsible", or "..." I always think two things. First, that people are
naïve, and second, what's it going to take to drive people to take un-
ignorable action?

Brave New World.

~~~
pdkl95
> we're far less effective at turning that anger into change

The anger will become a _mob_ that enacts change when a critical mass of
people lose access to food and/or shelter.

> what of [Occupy]

Occupy was _very_ successful at (re-)introducing _class warfare_ into the
public dialog.

> First, that people are naïve, and second, what's it going to take to drive
> people to take un-ignorable action?

3rd, why isn't this anger organizing into larger activist/political movements?
Well, with enough surveillance data and modern data analysis tools it's easy
to find the "leaders" or "organizers" that bring people together. Remember
JTRIG[1]?

[1] [https://theintercept.com/2014/02/24/jtrig-
manipulation/](https://theintercept.com/2014/02/24/jtrig-manipulation/)

~~~
otakucode
Oh, you're on the right track... but it's worse than you imagine. Those
"leaders" and "organizers" are unimportant. You're familiar with the 'Six
Degrees of Kevin Bacon', right? Say you were omnipotent and wanted to make it
so that instead of only needing 6 links to get to Mr. Bacon, you needed 15
links on average. And you want to do as little disruption of the network as
necessary.

What nodes in the graph of connections would you target? Intuition says go
after the nodes with tons of connections to tons of people. Intuition is, as
it almost always is, dead wrong. Removing those massively-connected people in
a social network is basically useless. They are almost exclusively connected
to people who are already connected to one another. They're the center of
clusters, and you will almost never route through one in an attempt to find
the path to Mr. Bacon.

Instead, what you want to look for are node which bridge clusters. People who
are usually not strongly connected to one of the clusters they are associated
with, but provide a conduit through which connections can be made. Because
they are inherently a bit 'different' from the people in each of the clusters
they bridge (few others bridge those two clusters), they tend not to be
important figures. They're a member of a biker gang who hangs out with his
great aunts knitting circle on Saturdays. They're the ones who facilitate the
flow of ideas between groups that never speak to one another otherwise.

So you know who to target... but how many 'bridge' nodes like that do you need
to really take out in order to significantly increase the 'distance' between
nodes on the graph on average? Disturbingly few. Removing something like 25
nodes from the graph of tens of thousands of performers will make it so you
need 15 or more connections on average to get to Mr. Bacon. (The book 'Linked:
The New Science of Networks' details the research specifically, its been years
since I read it though so I am fuzzy on exact numbers but it was definitely
fewer than 30 you needed to remove)

Now, imagine a crazy scenario where you had access to the social graph of a
country (somehow!) and knew who was talking to who. And your goal was just to
maintain the status quo. Well, what does any large-scale social change
require? An idea must spread to large numbers of extremely different, and
almost entirely disconnected, groups. Any idea that remains sheltered in one
or a few groups will die out of its own accord. A revolution doesn't happen
because one minority wills it, there has to be buy-in from a wide array of
groups. So remove those bridge nodes. Any widespread social change becomes
very nearly impossible.

But what is "removing a node"? I'm not talking about black-bagging a person
and dragging them off to some hole or blowing their brains out. Such things
are entirely unnecessary and counter-productive. The more significant your
action is, the more profound the unintended consequences will be and
predicting the outcome quickly becomes intractable. Instead, notice that those
bridges are usually connected more strongly to one cluster rather than the
other. If their communication became more burdensome to the group they are
less connected to... for how long would they persist in fighting to maintain
it? If something nutty happened and they had to change their phone number,
what're the odds they'll forget to give the new one to the contact in a group
they're barely involved in?

You could have very quiet oppression through these means. I expect there would
be unintended consequences, and have been trying to figure out for a few ways
a good way to detect such changes in a social network, but its just a thing I
keep in the back of my head, not something I actively work on. If you've got
any ideas, I'd be happy to hear them.

------
cmurf
[https://trustedidpremier.com/static/terms](https://trustedidpremier.com/static/terms)

"As specified on the website, Your membership subscription may be subject to
automatic renewal. TrustedID may, in its sole discretion, terminate this
Agreement (or suspend, terminate, or otherwise restrict Your use of and access
to the Product) at any time, without notice."

Not only can they renew you automatically (unclear what the renewal term is,
plausibly the autorenew could obligate you with another year of service you'd
have to pay for); but they can also cancel the service, and not inform you. So
you're "protected". Maybe. You don't really know, nothing about it is
transparent.

What we do know, is they're bad at their job of protecting consumer credit
data from people who shouldn't have it. They're not to be trusted, and
therefore no good reason to agree to anything they offer.

------
Johnny555
I entered my real information and they said I was not impacted (but still
asked me to sign up for TrustedID). The same for my wife. I tried it again
today to make sure the answer didn't change and it's the same as yesterday.

Here's the message I got:

 _Based on the information provided, we believe that your personal information
was not impacted by this incident._

 _Click the button below to continue your enrollment in TrustedID Premier._

Maybe if they can't make a positive match against their "safe" list, they give
the warning.

They seem to be matching on SSN alone, I entered a completely different last
name, and still was told that I'm not impacted, so maybe no one with the last
6 digits of my SSN was impacted.

------
WisNorCan
I have now placed freezes [1] on my accounts with each of the four agencies.

It is perplexing to pay $5-10 to each of these companies that have collected
my data without my permission to stop the sale of that data. In particular
after they have mismanaged that data and put me at risk.

They will probably see a large surge in revenue based on this breach.

[1] [https://www.consumer.ftc.gov/articles/0497-credit-freeze-
faq...](https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs)

~~~
nickthemagicman
Whats the fourth? I just know of Equifax, Experian, Transunion.

~~~
WisNorCan
From the New York Times [0]: _In the meantime, here’s hoping that this breach
is the nudge you need to finally sign up for permanent freezes on your credit
files. I’ve used them for years, and here’s how they work. You sign up (and
pay some fees, because you knew it wasn’t going to be free to protect data
that you didn’t ask these companies to store, right?) at Equifax’s, Experian’s
and TransUnion’s websites. Christina Bater, managing director at Barrett Asset
Management in New York, suggests freezing your file at the little-known
company Innovis, too. Hey, why not?_

[0] [https://www.nytimes.com/2017/09/08/your-money/identity-
theft...](https://www.nytimes.com/2017/09/08/your-money/identity-
theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html?mcubz=0)

------
crb002
Every attorney here in the Federal bar needs to file an emergency injunction
on Monday asking the US Government cease sharing confidential bank data with
Equifax until they are paid statutory damages, and Equifax posts bond large
enough to cover any future data breach payout.

------
paul7986
Scary their tool isn't even hosted on Equifax.

I'm sure Techcrunch verified this is legit, but there's going to be a lot of
similar sites shared on Facebook popping up that are similar to get your data.

------
johnnyb9
Someone comments in TFA that Equifax likely gives random results to garbage
inputs to deter criminals from using it as a way to validate data.

------
khc
Even if the information they returned was correct, do you trust them enough to
enter your SSN and name anymore? Surely they will be hacked again and you will
be impacted by the next hack.

1\. Enter SSN

2a. Impacted by this hack

2b. Not impacted by this hack but will be impacted by next

~~~
Johnny555
They already have your SSN unless you have no bank account, credit card,
utilities in your name, a loan, etc.

I think it'd be nearly impossible to be an adult living on your own and not
have your SSN in a credit agency's database.

~~~
zeep
If you would be able to block them from buying your SSN under the current
system, you would not be able to get any loans.

------
ozpri
"New York attorney general Eric Schneiderman has hammered Equifax for using
language meant to discourage arbitration and is asking Equifax for answers
over the data breach. The company has stated since it would not bar consumers
from joining breach-related lawsuits."

Is anyone else mortified that this is the reality? Where companies are allowed
to dictate how much legal privilege we have to seek legal recourse if they
legitimately screw up?

~~~
user5994461
Welcome to capitalist America!

------
justinclift
With this Equifax hack, is it feasible this info release could endanger the
lives of people?

Specifically, having current address info released for people who that could
go badly for. eg ex-partners of violent people, maybe law enforcement (?)
people, etc

If that's the case, then the fallout (and scrambling-to-relocate by people
endangered) from it could be even more massive then so far mentioned. :/

~~~
Johnny555
There are plenty of ways to look up credit report information, I don't think
this hack is going to add a significant new risk.

Though it'd be nice if this caused new data privacy and protection
regulations. (But it won't)

~~~
justinclift
Cool. :)

------
ams6110
If you read the message, it's very noncommital. You "may have been impacted"
which doesn't take a position either way.

They could issue that response regardless of what you type and cover all
possibiliites.

My guess: to account for typos, they are responding with "may have been
impacted" if they get a hit on _either_ the name or SSN, not only when there
is a match on both.

------
rayiner
The reaction here seems pretty over the top to me. Leaking a bunch of private
information is bad, I guess. As a former federal employee, my SSN/etc. were
leaked in the OPM breach a couple of years ago. So far, it’s hard zero
repercussions for me (or anybody else I know). There are many layers of
defense mechanisms in place. It’s not like just having some numbers let’s you
do whatever you want. The US banking system has a ton of human checks and
balances and ways to reverse things in place. If I ever saw an unusual charge
on my credit cards, I’d just get it refunded. How much actual harm is going to
come out of this? My suspicion is not that much.

~~~
k_sh
> If I ever saw an unusual charge on my credit cards, I’d just get it
> refunded. How much actual harm is going to come out of this? My suspicion is
> not that much.

Fraudulent charges on an existing account is not the concern when someone has
your SSN and other high-value information - it's the ability for someone else
to open an account in your name that you have no knowledge of.

~~~
ChuckMcM
This is the thing that bites you. Someone opens a store credit card in your
name, uses it enough to get the credit limit to a point where they can walk
off with enough stuff to make it worthwhile. Guess who gets reported to the
debt collectors? Not them, you do.

And here is the really sad bit, when you tell the debt collector that its a
bogus account and not you, by law they have to stop hassling you but instead
of 'retiring' the debt they just resell it to another debt collector to get
back some of the money they paid for it. So the cycle doesn't stop.

~~~
harryh
It's also illegal to sell a debt when the owner has knowledge that it is
fraudulent.

~~~
ChuckMcM
Yes it is, but that is much harder to prove, and not something I can do in
small claims. Nor can I easily get the local AG to do it for me in the area
where they operate (I've tried, they just laugh at me)

~~~
harryh
Too bad patio11 has a full time job now. Sounds like something he'd have fun
with.

------
c3534l
Given the fact that every other week some company gets hacked and leaks data
on customers they shouldn't have been keeping in the first place, I'm looking
forward to some court precedent being set. I don't know why the Equifax leak
is getting all the attention and hate when
[https://haveibeenpwned.com/](https://haveibeenpwned.com/) discloses a major
hack constantly, but it'd be great if companies were held financially
responsible for security carelessness and improper disclosure.

------
tuxxy
Does anyone have any information about taking them to court yourself (small
claims or otherwise)? This breach has affected me and as a cryptographic
software engineer, I am exceptionally upset. I intend to go as far as my funds
and personal knowledge will carry me.

~~~
tonyztan
I submitted this a few hours ago:
[https://news.ycombinator.com/item?id=15207727](https://news.ycombinator.com/item?id=15207727).
Basically the steps to file a small claims lawsuit.

------
billions
Yet another argument for decentralization. Data monopolies have single points
of failure.

------
bluetwo
Just a note: I tried the same thing and was told my information was NOT
impacted.

I suspect the reason for this might be that I froze my info years ago.

In some way they must be screening against people who are frozen, or I got
lucky.

~~~
newscracker
I read on Krebs on Security [1] that those who visited the site from a
computer got one result, but also got the other when they visited from a
mobile phone. Not that this might apply to you, but the results from the
equifaxsecurity2017 site do not seem trustable.

Quote from the article:

> In the early hours after the breach announcement, the site was being flagged
> by various browsers as a phishing threat. In some cases, people visiting the
> site were told they were not affected, only to find they received a
> different answer when they checked the site with the same information on
> their mobile phones.

[1]: [https://gixtools.net/2017/09/equifax-breach-response-
turns-d...](https://gixtools.net/2017/09/equifax-breach-response-turns-
dumpster-fire/)

------
gsnedders
And they have still, as far as I can tell, not communicated to anyone who the
Canadian and UK affected people are; they've merely stated that there are
some…

------
hedora
Where is the class action lawsuit for their intent to defraud the entire US
and Canadian populations?!?

------
nsxwolf
I can't reproduce these results.

------
peter303
Not true. It said 'not impacted' when entered fake account and 'impacted' when
I typed mine.

------
companyhen
I keep seeing people say Blockchain technology would prevent this type of
hack. True?

~~~
mbillie1
Blockchain technology would prevent a web app vulnerability? What on earth?

~~~
companyhen
I was wondering the same.. just what I saw some of the crypto people I follow
on Twitter say.

------
fastball
Here is a crazy alternate theory for you guys, which I think fits all the
details we have so far.

1\. Equifax was never hacked.

2\. Equifax accidentally deleted a substantial portion of their database.

3\. Come up with a system to get the information they lost back, via a "have I
been pwned?" checker.

3a. If you enter your details and they are not in their database, they assume
it is one of the persons they deleted, add it to their database, and give you
a "maybe hacked" message. Obviously a fictitious person would never have been
in any of their databases, deleted or otherwise. So, assuming this fake person
must be a deleted person, they add the info and show the "maybe hacked"
message.

3b. If you enter your details and you are one of the _lucky_ (haha) persons
that were not deleted, you get a "you are safe" message.

4\. Equifax gets a lot of their database they deleted back with little effort
on their part.

What do you think?

~~~
takeda
This is silly, because losing data would be lower outrage, and they might even
purchase the data from other agencies so we wouldn't even know it happen.

Also the data that leaked is not the valuable data to them. See how proudly
they stated that no core databases were affected? Not giving a damn about us?

What's valuable to them and to banks that use them are the actual information
about our credit. If that was compromised that would kill them, because they
would lose trust of their real customers (banks).

~~~
fastball

      crazy alternate theory

