Doesn't "users" imply that we had a choice in the matter? As if we're Equifax's customers? I feel more like we're victims in this case.
"I checked myself, my wife, you and your brother. To the best of my knowledge none of us have Equifax accounts, but it says they probably got our address & driver's license for all four of us.
I don't want to waste money on LifeLock. What can I do? Just watch my accounts?"
Is Visa, MasterCard, etc. at least partially to blame here for picking a bad solution? My personal ties are not with Equifax, I have no direct means as a consumer to express dissatisfaction. Can I sue Visa? They are they ones (I presume anyway) who did the actual information collection from me, and then it was mishandled.
We need more tools for dealing with data breaches. Things aren't slowing down, and they aren't going to unless something big changes.
Your contract is with your card issuer, who provided your personal information to the credit agencies. But you probably agreed not to sue them as part of your agreement when you asked them to issue you a card.
If you don't want to pay for LifeLock, which I agree is a bit steep, you can usually get an identity theft protection policy from most major insurances companies. The premiums vary, but are usually a fraction of LifeLock's fees. Just be sure you understand what's covered.
I use both of those and it costs me $25/yr total.
You can check the Fair Credit Reporting Act for more information about various parties' responsibilities in handling your credit information. However, I don't think you'd be able to sue lenders/creditors in this case. They are distinct from the credit reporting agency that seems to be at fault.
> They only monitor TransUnion and Equifax data
Where do you see that they monitor Equifax data? I only see TransUnion mentioned.
Of course I told them to get lost and just used another mobile provider, but I learned from this episode that all of these consumer services companies share data both ways with these credit checking agencies.
A) A credit account is not the same thing as a checking account or credit union account
B) Plenty of people, even in the US, operate without any of these things. It's not fun, but it's absolutely possible.
After my company crashed, my wife divorced me and then I got cancer -- things were pretty grim on my credit-worthiness story. Net-net: I went without a bank-account for a few years and learned to live with pre-paid phones, money-orders, cashing checks at pawn-shops and pre-paid debit cards, and (for medical and other reasons - not able to drive. Good news: I saved on car insurance, gas and parking). All-in-all ... not a lot of fun (it's very expensive and time-consuming to be poor in America!).
But! As you say: it is do-able.
Monopolies aren't choices, and monopolies on essential services are coercive by definition.
It doesn't make much sense for borrowers, though. But since, by definition, the lenders have the money and the borrowers do not, the borrowers have no real ability to negotiate when lenders get together and do things like that.
But borrowers can vote just as much as lenders can, which is why such behavior is governed by law. So let's not pretend that borrowers somehow agreed to this system in any way. It was forced upon them, and the best they could do about it is pass laws to ensure that lenders at least had to be accurate when reporting, and had to respond reasonably to disputes. Since lenders can lobby and vote, too, borrowers were not able to mandate that the lenders would have much in the way of legal liability when they inevitably get lazy, screw up, and cause real damages to real people.
The law isn't fair; it's just the best compromise that adversarial parties with differing amounts of money, power, and motivation could reach a threshold level of agreement on. It just so happens that a savvy and motivated borrower can completely whitewash their own credit reports for the cost of a few stamps, and maybe some small claims suits, while an ignorant borrower, or one who lacks the time and energy to ride herd on the CRAs, can get completely screwed. It's a numbers game, and the lenders and CRAs can make more money from the latter category than they lose from the former.
Their announcement says social security, addresses and names have been stolen, this is really worse, this data is enough to do ton of things.
The credit agencies (of which equifax is one of 3) get their info from credit card companies and other financial institutions. If you've ever signed up for a credit card or gotten a mortgage or car loan the information from that transaction was sent to the credit reporting agencies. That's how they get data to make their determination of how credit worthy you are.
If this isn't criminal, then nothing is. If someone doesn't go to jail over this, why the hell shouldn't I just go out and commit fraud on a daily basis myself? It seems to be rewarded in our society...
Because corporations are protected, individuals are not. This is what happens when business(profit) takes precedence over human rights.
There will be no repercussions for those responsible. No changes will be implemented. At best we'll get a public apology, but even that seems far-fetched.
What if A Person were to be born into a corporation and all transactions made by thhem be the corporations actions - if things go south, dissolve the company.
(clearly this is simplistic, but you get the idea)
I want to re-form myself into one of these corporations which has little retribution for actions. I shall pledge 10% of SamStave INC LLC to any attorney on the ~~~prowl~~~ case...
You'll risk losing the assets. If the assets aren't substantial, it's unlikely any landlord will sign the lease with the entity without someone guaranteeing it.
Real world example: I did a summer internship one year and the company rented a few houses for the interns. Myself and 2 college guys were in one. Landlord claimed damage on the air conditioner because it iced over due to not changing the filter...ended up getting money from the company.
that said, the strategy you describe is perhaps workable as a small, close-knit group of reciprocally trustworthy people who leave a sequence of bankrupt corporations in their wake.
it could be a sort of financial lobster: a ring-of-trust which occasionally sheds its corporate shell and then immediately grows a new one.
This seems pretty common with high value items (say pools/AC units/solar installers/etc) providing long warranties. 5 years in, the warranty is worthless because the original company is gone.
I get that consumer protections in the US are not very strong, but this just seems like a shady cartel in cahoots with the banks/insurance companies. Please tell me I'm grossly misunderstanding something here.
See the first segment of this episode of the Backstory podcast for a retelling of how these early agencies worked: http://backstoryradio.org/shows/keeping-tabs-2016/
Like really, equifax saying "his score is pretty good, but he IS a terrorist". Sometimes correcting those things take months.
Your information does not just magically make it into the database of a credit bureau. It gets there via public record or because you allowed a creditor to report it to them. You are more than welcome to find a creditor that does not ask for or report to credit bureaus.
Not trying to justify the existence of credit bureaus but let's not kid ourselves. They aren't sending spies to your house or tapping your phone lines to get this info. You personally authorize a large amount of it.
Because you don't have enough wealth to be immune to the legal system.
Veryifying identity with SSN is broken. The right way is probably more or less how big webapps do it - MFA + a password that the user can reset by providing a bunch of info. The government has the necessary private info to do this in most cases (e.g. DL# plus your income from last year's taxes), and can fall back to "Show up at a police station/DMV/other office and talk to a human" in disputed cases.
I'm sure there are lots of private corporations that would love to be the One True Arbiter of who's who, but none of us would trust them, or want to pay the price. An open source solution (something like Keybase?) seems possible, but not without government backing.
It's an awesome system that the US would be lucky to have. I say this as a dual citizen of both countries.
Please, think before you say USPS... this agency is broken as hell. The last thing we want to do is trust our identities to them.
Only real way to get true identity system is biometrics(Fingerprints,DNA, or Iris) taken at birth. But that will never happen for privacy reasons.
Any secret can be stolen, bio or otherwise. The key to robust ongoing identity is not a better shared secret, it's a better way of recovering from theft of shared secrets. One way is to have a big trove of non-secret-but-not-public data, like prevous addresses and employers (which is how the credit bureaus sometimes authenticate people). Who has more such info to draw from than the government? Another is to use shared info that goes stale quickly, e.g. "What magazine did you get in the mail yesterday?" Again, the government, by virtue of being the government, already has candidate info to draw from.
And what if all else fails, if some super-hacker has stolen or has ongoing access to every single piece of digital information that could be used to authenticate you? If you're a startup or a corporation or an open source project, you throw up your hands. If you're the government, you say "Please visit your nearest police department and bring your photo ID and some utility bills."
The more I think about it, the more I'm convinced that this is the only good solution. Like someone else in this thread said, Identity is hard. There's no silver bullet to make it a tractable problem, but you can throw enormous resources at it. And in the government's case, the most costly part (building a brick-and-mortar office in every city, town, village and hamlet in America and staffing it with humans) has already been paid.
But yes, I agree, it's a good point that the government already does this (ditto for lost birth certificates, etc) and this would just be tying the federal identity that they work so hard to verify to a digital one.
I call these what they are: Insecurity questions.
I have also taken to writing completely unguessable nonsense as the answers and recording them in my password manager.
Precheck/Global Entry give you a known flyer/traveler number, which combined with your personal information, authenticates your identity between your travel provider and the government.
Identity is hard.
You can't say that immediately after citing Aadhaar as the "best example" of biometric national identification. There has been massive pushback against Aadhaar for privacy reasons specifically, which just resulted in the Supreme Court declaring privacy to be a fundamental right - something which, incidentally, goes far beyond the approach to privacy taken in the US and Europe.
We have the technology, i.e. certificates, signatures, smart cards, identity federation like SAML.
We got govt + all banks on board with a national digital id. Basically all systems that were considered safe enough such as the major banks online systems (with advanced 2fa) are allowed to issue digital IDs that can be used as logins to all authorities and any other place that needs verified id.
This system probably paid for itself in a hurry.
Is it time for a Federal Department of Verifying
Whether People Are Who They Say They Are?
There is also a disproportionate effect in that a small portion of the 143 million affected will have a large impact, i.e., "identity theft" while most will be unaffected.
I think a fund setup to help those who are directly affected is a better idea. This could be done through government action where penalty proceeds are turned into a fund. In other worse, similar to the BP oil spill in the gulf where the fund helped those who lose income or suffered property damage.
In short, this breach of public "trust" is only the smoking gun that proves how horrible Equifax is. But, they have a long history of being a parasitic organization that will hopefully die soon.
So how do you recover from something like that? Are you basically prevented from using credit for the rest of your life?
Think about it: if every person in america put a freeze on their credit, all of these companies would go out of business because they would no longer have a product to sell. It gets even worse if you're a victim of identity theft because they cannot charge victims of identity theft to freeze or un-freeze a credit report.
I think only solution is criminal charges/jail time against higher ups who prioritized profits over security.
Equifax needs to feel pain so they behave better in the future. Their executives need to be taught that they need to invest in security or it will affect their balance sheet. That will happen even if the payout to individuals is small, just as long as it costs Equifax a lot.
At that point it would be fiscally irresponsible to properly secure this data. They would owe it to their shareholders to continue with their shoddy security and data management procedures.
The risk to the greatest number of people is the increase in interest rates if the lenders do not have the same level of trust in the credit reporting companies.
1% over 30 years is a lot.
Secondly, just taking preventative measures for say 10 years of credit monitoring, from not the company that leaked your data, would cost 15x12x10 $1800.
Keeping my identity/online data safe just seems so hopeless that I don't think about it anymore.
Because right now, it's too easy for them to not care. It's us that suffer the consequences, not them. That has to change.
Until this starts hitting important people in the wallet, nothing will change.
We often question monopolistic behavior with regard to market share and competition for physical goods. However we don't see this type of questioning with regard to data monopolies. Hate to say it that while I enjoy the use of Google and Facebook, they may also fall into this arena. Though with those companies at least an order of magnitude worth of effort MORE is expended on some form of heightened security, communication, and standards primary thru tertiary of their core offering.
Makes me wary of trusting other big OS libraries, but since rebuilding every part of the stack from scratch is infeasible and unproductive, we don't have much choice but to use them.
Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805):
Also, didn't the Equifax breach happen in May, 2017? If so, I fail to see how the Sept, 2017 exploit plays into this unless it was in the wild months before it was published in Sept, 2017 - which I find hard to believe.
I completely disagree. It is open-source for a reason. If you find a bug in it, fix it and everybody wins. Otherwise, nobody would ever publish any code/software because you would get sued if you did any mistake. On top of that, the software is free. So you basically want to blame some group which gave you something for free which you used to make big money and expect to also sue them for consequences if they made a mistake.
I also feel bad for the engineering team at Equifax. But on the other hand, you have to take into account that any software you employ could have a security flaw in it. That is why you should have additional means to protect it and no single point of failure. And this is especially true if your whole business depends on that data!
edit: spell check
I would have expected this type of data to be stored in such a way that even if someone got access to one of their web/application servers they wouldn't be able to dump 143 million records from it without serious red flags going off.
'Encryption at rest' only works for data that is not actively used, like backups or if a physical storage device is stolen.
A better additional safeguard is to have quotas and alarms in place for data access. Is data being accessed sequentially in a application environment where data is usually accessed randomly? Is data access bound to individual credentials and do indivudals access more data than usual?
I think, there is actually potential for new database products or addons, which can reduce the impact of breaches in the vicinity of these 'core databases'.
ObjectInputStream ois = new ObjectInputStream(input);
MyObject obj = (MyObject)ois.readObject();
This event is leading me to about how social security numbers can no longer serve the role that they have with
establishing trust in identity, although they can continue to be used to uniquely identify a US citizen. This hack may
push markets, and government, to widely adopt biometrics and other sensitive, personally identifiable information.
What won't happen, unfortunately, is the political will to regulate how uniquely identifiable personal information is managed and stored.
Suppose that rather than Equifax, Facebook were hacked. What kind of intelligence and reports does Facebook have on people that would eclipse that of social security numbers and credit history?
I don't think the next world war will be fought with nukes, it will be an economic fight. Leak a few corporate secrets  to stall the economy, use the OPM dump and this Equifax dump to originate enough false loans to seize up the financial sector, then cause havok across the electrical grid  like you did during the annexation of Crimea just to make sure they stay down.
We've been blind to the other half of the threat of centralized information repositories... the 1984 Big Brother scenario assumes the holder of the information wants to control the citizens, but we never considered the information might have leaked to an actor who wants to destroy the citizens.
Biometrics would be a terrible idea. Mass surveillance, anyone?
What if the biometrics were stored on something you have - say a smartcard (definitely not a phone!)? Along with a PIN. Plus, these two items went into a "write only" store on the card (actually, a hashed value of both are stored).
You have a card reader (one at home - and any place you are doing a transaction to confirm identity also has one). You put in your card. Type your PIN. Present your (physical) biometric.
The reader takes the data, passes it to the card (or maybe the card has the reader and pin pad?). The card runs the hashing again, and compares the values. If all is good, it outputs a "Yes" otherwise a "No".
Remember, only the card holds the data (a hashed version) of the biometric and the PIN. That can only be written (you can do this with your terminal at home?). The only output the card has is that "yes/no" value.
All transactions of such nature would be done with this card.
I'm probably missing some steps or such - but the idea is there. That gives a 3-factor authentication system.
Don't expect it to ever be implemented.
1440 tries max if you know the day. 720 if you know if it was day or night. Botnet and/or proxies can do the rest
As far as I'm concerned, they stole my data first, then they packaged it up neatly and gave it to shady persons.
Yes, I'm aware that I "consented" to their collection of my data when I signed up for a credit card, or a car loan, but it's not a system you can realistically opt out of. If I want to rent an apartment or, sometimes, even get a job, I need to consent to a credit pull, so I need to have a positive credit history.
So, we have a private sector monopoly that I am coerced to give my data to, for free, to function in society. Seems like a good business to be in, but as an outsider I'd like to see something drastic happen. Perhaps nationalization, or breaking up of the big three with deep regulation.
*edited to add omitted "three" in last sentence.
I'll watch the outcome of this breach with interest. It strikes me that at the very least credit rating agencies should be non-profit and very closely monitored by government. This will include ensuring security best practice is followed.
As others have rightly pointed out, they even have the audacity to call us customers. Like somehow we turned 18 and signed up for their service. I certainly didn't, and it annoys me that a company whom I have no control over can make or break my credit history.
Tell that to people riding their free class-action credit monitoring from when their OPM background investigation records got leaked to the russians or chinese thanks to the government's "security best practices".
The CRAs don't make or break your credit history, that's the businesses that supply information to them. The CRAs are aggregators, and just report what their members tell them.
You are the product.
The sell this "information" (your identity and more) between businesses looking to establish whether to give you credit or whatnot.
Personal data should be treated with the same care as nuclear fuel. Very very strict conditions.
There is no way to opt out of having your data collected and sold by Equifax, Experian, TransUnion. The power these companies have over US citizens is incredible.
Anyone that's ever tried to remove incorrect data on their credit report knows how painful it is to deal with these companies. Despite dealing and brokering in electronic data to buyers of your credit profile, your interactions with them as a consumer can only occur via paper mail and mailing letters which means weeks or even months for basic communication. They operate like thugs. I hope this is the end of them and by extension the other two agencies as well.
Equifax employs about 10,000 people worldwide. A million small-claims cases has each Equifax employee handling 100 small-claims cases. I don't think they can handle that level of distributed legal aggression. It just takes too much time by too many people, especially if people refuse to settle for anything less than $1000.
Probably the best way to crowdsource it is to go through the process yourself, write a step-by-step guide to what you did, and post the results on social media.
They gave me a date in September that I have to remember to come back and sign up for. It's the equivalent of grabbing a ticket in the deli line.
Look at this text:
"Please be sure to mark your calendar as you will not receive additional reminders. On or after your enrollment date, please return to faq.trustedidpremier.com and click the link to continue through the enrollment process".
That's enraging. You tell me I'm affected and now I have to come back at some date/time and sign up? At least it has given me the time to read all the comments about waiving class action participation.
At what point do we finally tell abusive companies like this that they're no longer allowed to be a company?
I cancelled my Equifax credit watch account about 5 months ago, when they decided to raise rates.
Never have I hoped so much for a business to be sued out of existence. And hopefully their inside traders will get jail time (yeah, right).
" Based on the information provided, we believe that your personal information may have been impacted by this incident."
It then had some button, I forgot what the button said. This led to the screen about "save the date" for protection.
You can check if you're impacted then just not proceed to click "enroll" and be able to check without auto-enrolling and agreeing to their 1yr protection + arbitration agreement.
There is now plausible deniability for so many things.
IIRC, there wasn't even a clickthrough and they framed it as "find out if you're affected." How could that be enforceable?
... Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier.
I really hope this puts Equifax out of business.
I am not a lawyer.
No idea how ironclad such a clause would be,k though.
Really scummy behavior.
> If you choose to enroll, that is when you waive your right to join any class action lawsuit.
> No Class or Representative Arbitrations. The arbitration will be conducted as an individual arbitration. Neither You nor We consent or agree to any arbitration on a class or representative basis, and the arbitrator shall have no authority to proceed with arbitration on a class or representative basis.
Further detail from an actual lawyer in this comment:
It's high time to set an example. Equifax should no longer exist as a company. People responsible should end up in jail. Company executives should be held personally liable. Some would claim it is unfair, but the only way to keep this from happening again and again is for those responsible to face serious consequences.
"Data is a Toxic Asset" https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...
- potentially every one of the 143M people are going to have some sort of trouble
- WORST CASE equifax shuts down, but that doesn't matter. too late.
- if everyone was to win a lawsuit for everything equifax is worth, they'd get maybe $100 minus lawyer fees.
And worse, now we have a financial system dependent on 2 companies. Making a 3rd isn't an easy matter.
This whole industry needs to be turned upside down.
Would be interested in hearing other opinions on what's being said there, especially regarding using the www.equifaxsecurity2017.com site and legal rights.
There's no need for anyone but the customer and Credit Card company itself to retain the actual credit-obtaining-number (other than to allow future purchases with permission, which is the rarer case, often needs to be prevented not facilitated, and doesn't excuse Equifax having more than a reference number.)
Yet the credit card companies don't do this. Why not? 'Cause humans are idiots, all of us, that's why.
PS - run to the patent office and you might be able to make a ton of money patenting this, since patents are now given to whoever shows up at the patent office with the appropriate fees first. Precedence doesn't matter. You would be implying that you thought the idea up independently, of course, but you're smart, right? That's totally the sort of thing you could think of independently. Then when you're rich, you too can help choose what the patent laws look like, and whether rich people should pay taxes.
I've been caught up in the DOD breech, this Equifax incident and a couple smaller ones. I'm not interested in pinching pennies here; I want good results.
A bunch of class action lawsuits might make options like Move to Amend a lot more palatable to corporations facing that kind of scrutiny. It also gives political capital to organizations working to prevent rollbacks on consumer protections implemented after the Great Recession.
If Equifax's reputation hangs on a single hack, then they probably weren't that reputable to begin with. Why should we have to live under decisions that benefit them when they no longer exist, or weren't even who we thought they were?
And then, I hope all of the other agencies take note, and start deleting their data.
Short answer: We won't.
Nothing is likely to drastically change. It'll just be another blip on this week's news, and on to the next big thing that comes up.
Some individuals, over time, will likely have their lives screwed with, but because not everyone at one time will have this happen to them, nobody will care.
Think about how long the EU and others had chip-and-pin for their cards. Also, everyone knew it was more secure. But it's only been in the past 6 months or so that the United States is finally getting it - and it isn't everywhere yet.
I'm not trying to say chip-and-pin would have helped this situation (it wouldn't have). I'm just trying to convey just what kind of social and political inertia is at hand here in the United States, not to mention the size of our collective apathy, and extremely short attention spans.
Had something like this had happened in the 1970s or 80s - heads would've rolled. 60 Minutes would have been all over it. Dan Rather would have frothed at the mouth. It would have been crazy to the extreme in the media and elsewhere. Change might have even occurred.
Today? We'll be lucky if we're still talking about this in any amount next Friday.
This company has already caused harm to literally everyone in the US. Minimally, we all now have to take action to attempt to avoid identity theft. And it only gets worse from here.
And these bastards have the chutzpah to wait until hurricane Irma is upon us to make the announcement.
Multiple steps must be taken for nowadays people to get credit card and debit card or whatever(loans, money transfer,...). Use SSN, name, mother maid name, a few security questions, two-step authentication by default, all passwords must be hashed and salted otherwise it is a crime for the DBA,etc.
Just switched away from 15+-year-yahoo-email after its leakage, now it comes Equifax, which is 1000x more critical, it is so bad.
Wait, what? Isn't this a blatant example of insider trading? Moreover connected to a problem they are responsible for?. Do they seem to be really that stupid or is there a chance that they could get away with that in the end?
I'm left with the conclusion that they were either negligent or incompetent, or layers of management were actively trying to cover things up.
If guess for subscribers they could get more information than publicly accessible. What fraction does it represent?
edit: Was the analysis of the hack published?
Go ask any security guy if they think their environment is secure. Very few of us will say yes. It frequently boils down to we ask for things, and there are budget/manpower/time limitations in getting them implemented.
So a breach occurs, execs say to IT staff "Why was this possible."
IT staff says "We requested back in <month> to fix this, and its working through the slow process"
Execs say "Why didn't you scream louder, identifying it as a critical issue"
IT: "There are 1000's of other issues, just like this one. The attackers just managed to exploit this one, instead of one of the others. We can't identify all issues as critical, because then nothing is critical."
Both parties stay frustrated thinking the other isn't doing their job right.
Edit: people never seem to like it when I say this. The phrase "the buck stops here" has a meaning.
Is there some public record I'm not aware of that says Equifax underspent on cybersecurity? Or is this lawsuit just a shot in the dark hoping to hit a target?
I wouldn't be surprised at all if the allegation is true, but AFAIK there's no way these individuals actually have proof of it, and it seems like a flaw in our legal system that people are allowed to make allegations like this without any type of proof.
Both of these are Good Things. One of the most important things our legal system provides is opportunities for remediation when something goes wrong.
Like many other people I decided to use this because of the breach, I went to the government identity theft site and found some links.
Equifax - Fill out the form. "Additional information required" please mail stuff to us.
Experian - In your state (washington) there is an 11 dollar fee for this service.
Transunion - Fill out a signup form, complete with god damn security questions. Do the quiz about stuff on my credit report. 10 dollar fee.
Go fuck yourselves you fucking bastards. I hope experian goes out of business because of this, I really do.
Has there been any real discussion about alternatives to the present system? How else could authentication work for opening a bank account?
I imagine that the present system survives (1) because of inertia, and (2) because it doesn't require much infrastructure and so it's relatively cheap.
Maybe the next step is something like putting a chip into driver's licenses and ID cards nationwide?
Read "The Art of the Deal.|"
Equifax still hasn't revealed any data about how it was hacked, without that information it's hard to prove they were negligent.
Negligence requires three things: duty, breach and damages.
As to duty:
Does Equifax really owe a duty to every single person whose data it keeps. That would be a tough argument to make. They didn't sign any contract or make any agreement with the people whose data they collect. So where does the duty come from?
Even if the plaintiffs were able to overcome that hurdle, they would then have to prove breach. Was Equifax careless in they way they handled information security? I don't see evidence of that, the mere fact that they were hacked doesn't necessarily mean they were careless. All Equifax would have to show to win on this count is that they had some sort of basic security system in place comparable to what other businesses it's size have in place. My guess is that they do have a security system and that this probably wouldn't be hard for that to show.
Being hacked would be considered under law to be an intervening criminal action. It is established that people are not responsible when damage is caused by someone else's criminal action. So long as Equifax took basic, prudent steps to protect data, they can't be held responsible for intervening criminal action.
As to damages
It's hard to see how anything of monetary value was lost by the plaintiffs in this case. There was a loss of privacy, but I haven't heard of courts giving out awards for that sort of loss.
I'm sure people more familiar with information security could point to flaws in they way Equifax protected info. And certainly the way they reacted to the hack was negative. But bad or imperfect behaviour doesn't in and of itself give rise to a claim for monetary damages in court. This case doesn't seem winnable to me.
There is some argument that if you use Equifax's identity theft protection you may be able to sue, which I think is what this class action is about. But that still doesn't give rise to damages because none of the plaintiffs can prove that their identity was actually stolen. And you still don't have breach (no proof that the hack was the result of Equifax's carelessness).
I imagine that the firm will take 25-50%.
Also, Equifax will likely just go bankrupt vs. paying 4x what they are worth.
Perhaps we should seek to have the company turned over to the people, at which point a blockchain based credit system can be implemented.
We probably need more competition in corporate credit agencies as well like Moodys/S&P that got us into the housing crash.
The lock-in deals these companies have make them get really lazy on their core tasks.