It would become a legendary case study if this site turned out to be an information phishing site. (This one is legit but I expect it to happen someday. I'm surprised it hasn't already.)
After all this site links to the law firm JND, but nowhere does JND mention this site. So any of us could have made this site.
Use the form below to find out if your information was impacted and if you are a class member.
Its somewhat of an unsolved problem, there's all sorts of these kind of sites that are legitimate but look really suspicious, like they could be phishing sites. Examples:
However, I can see how some people wouldn't think to go through .gov sites and there's really nothing stopping me from registering a phishing site with a similar domain and hosting it in Russia or something to confuse people into using mine rather than the official one.
I think freecreditscore.com has been confused with annualcreditreport.com in the past. Freecreditscore.com is owned by Experian now and it actually does offer a real free no strings attached credit score NOW, but in the past it used to be one of those sites that tricked you into signing up for a subscription.
Then, of course, there was the Equifax data breach site that totally looked like a phishing site.
I've also had benefits through something like "mybenefitsportal.com" or something (made up, I forget the real URL).
I don't understand why companies do this. I completely understand that my health insurance is through "Empire Blue Cross Blue Shield" or whatever. So I expect to go to your corporate website and click "log in". If you think your website is so bad that it will damage your corporate brand... well maybe you should work on that.
If it's an SEO thing, that's also shady. If Bank A has "myonlinebillpay.com" and Bank B has "easyonlinebillpay.com"... how am I going to end up at the right one?
It's only a problem if the authority is obscured by an unrelated domain name. If the page was a location on a site with known authority, or a subdomain, it could be validated much more easily. Unfortunately, vanity gets in the way.
Its not just vanity though, in these two cases "the authority" is the industry as a whole, thus many "authorities."
For example:
>OptOutPrescreen.com is a joint venture among Equifax Information Services, LLC, Experian Information Solutions, Inc., Innovis Data Solutions, Inc., and TransUnion, LLC (collectively the "Consumer Credit Reporting Companies").
>[annualcreditreport.com] is maintained by Central Source, LLC. Central Source, LLC is sponsored by Equifax, Experian and TransUnion so you have a single site where you can ask for all three of your free credit reports.
So why can't Equifax, Experian, Innovis, and TransUnion each set up a subdomain to redirect to this domain? Then they can each direct people to their own subdomain, and people can be more sure that the site they end up on is one that the respective company intends them to.
I feel like the lack of this kind of thinking helps keep people dumb about what a URL looks like, so that phishing links like www.bank-of-america--interestpayments.com/your-account/secure.html keep working. The less people are parsing the few domains they really do interact with, in favor of specialty URLs for every little thing keeps it all confusing.
Your comment inspired me to take a look. I compared the SSL certificate and the whois information to equifax.com. The settlement site uses a different company for the certificate. The settlement site uses Starfield Technologies vs DigiCert for equifax.com. The settlement site uses GoDaddy for their DNS vs UltraDNS for equifax.com. It's not impossible that a division in the company or a different law firm uses different SSL certificate provider and DNS provider, but it may point to some caution.
Edit: As another commenter pointed out, this site is linked to from the FTC site about the breach.
You're assuming that this site is run by Equifax; it is not. It is run by a "Settlement Administrator", a third-party entrusted by the court to handle the money and record-keeping associated with a class-action settlement. This is to avoid possible manipulation of the settlement by the defendant.
Legally, the settlement administrator must be totally independent from Equifax, so comparing their hosting providers, cert providers, etc. you'd only expect them to match by random chance.
Why compare it to Equifax? I'd just assume it's an unrelated malicious opportunist. I'd rather compare it to JND to have evidence towards proving that it's legit. Anyway it is legit since it's mentioned on the FTC site.
You think they would have learned since the breach. Right after the breach was disclosed they made their information page equifaxsecurity2017.com. It had the same prompt for last name and last digits of the visitor's SSN. Then just said something along the lines of ~"Thanks for the information, we'll have more details later".
In Quebec we recently had a massive information leak from Desjardins, a credit union used by most of the population. It didn't take long for people to receive phishing SMS trying to get information from people.
Arguably, your best bet for this kind of test is a very blatantly fake name, like "Zxzxzx". It's entirely possible that there is someone with the last name Smith (since it's very common) who also has those six digits at the end of their SSN.
It may not be so much a great guess as a statistical likelihood! In 2000, there were over 2.3 million Smiths in the United States: https://blogs.ancestry.com/cm/smith-a-short-history-of-ameri... (This number has likely grown roughly alongside our population, so let's use 2000 numbers for this.) In 2000, we had 281 million people in the US, which means 0.8% of Americans have the last name Smith.
If we assume every possible SSN could be handed out, a trailing six digit entry could have anywhere up to 999 possible SSNs, so you're firing out a shotgun with a pretty big number of potential targets each time you guess an SSN.
I don't want money. I don't want free service. I don't want any compensation.
I want Equifax as a company to be dissolved for incompetency with private data, and I want a way to legally opt out of other such companies collecting and aggregating private data about me.
> I want Equifax as a company to be dissolved for incompetency with private data
I want the system to be changed such that the burden of proof is on the lender that they actually interacted with the person they claimed they did. That is, if someone who is not you uses your information to get a credit card, then the bank loses their money for not following due diligence.
> That is, if someone who is not you uses your information to get a credit card, then the bank loses their money for not following due diligence.
That's pretty much how credit card issuing goes, but the risk is not in someone stealing from a bank under your name, but rather your file now looking so bad that you can't legitimately get credit if you want it. I think what we want here is "the bank has to pay you money if they reject your credit card application / home loan because someone else hacked Equifax."
> but rather your file now looking so bad that you can't legitimately get credit if you want it.
Yes, but under the new system, the bank can't just tell a credit reporting agency that a person they never interacted with failed to make a timely payment. If the bank can't prove beyond a reasonable doubt that they actually entered a contract with you, then they can't affect the actual person's credit rating.
> I want a way to legally opt out of other such companies collecting and aggregating private data about me.
Compare a desire to legally opt out (after checking a box, agreeing to a privacy policy you never read, having your data from 10 years ago - with a chain of custody/dispersal that's probably untenable, if not impossible, to map by now - synthesized by a third party) to GDPR's concept of consent:
"The key point is that all consent must be opt-in consent, ie a positive action or indication – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent as it does not involve a clear affirmative act. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. All of these methods also involve ambiguity – and for consent to be valid it must be both unambiguous and affirmative. It must be clear that the individual deliberately and actively chose to consent."
GDPR also has a concept of "objection". Even if you opt in, you can later "object" which will allow you to remove your consent. Although, in general, I really like GDPR, we've actually had a bit of a problem with this because it's quite unclear what you should do if someone opts in, then objects and then opts in again. For example, we have an opt in for us contacting the customer by email (which we do for marketing purposes). The customer can easily "object" and we'll remove them from the list. However, people frequently want to resubscribe. They thought they didn't want the marketing information and later changed their minds. It's not clear to us if it's legal for us to resubscribe them. I've actually thought that it's better for us to offer a separate service for marketing and get people to subscribe to that service under contract basis just to avoid this problem. That way they can terminate the contract and if they want to resubscribe, it's a new contract. I'm rambling here, but one of the things that really surprised me is that we have this horrible popup asking users to subscribe to our newsletter. I always opposed it because it's super annoying. However we were looking at analytics and it appears that a very large proportion of our customer base only go to the website to sign up to the newsletter (we're unusual in that most of our business comes through our call centre). So the newsletter really is a service that our customers want... It's a weird world ;-)
That's like when websites say I've opted into such and such just by visiting the website. It's a stretch to call something opt-in when it's unavoidable in modern life.
When you take out a loan or credit card you sign a legal document agreeing to all of the various terms. You don't sign anything when visiting a website.
Credit cards --- bona fide, revolving-credit credit cards --- are so completely avoidable in modern life that I'm a little mystified as to why people get them at all. I couldn't for most of my adult life (weak credit score) and feel like I've dodged a bullet. I have a (secured) card with a low limit now, just to rent cars, but it's gotten a lot easier to rent cars with debit cards now, too.
Heading off a routine objection to this observation: I've had a family with kids since I was 22, and spent most of the years prior to the Matasano acquisition living, if not paycheck-to-paycheck, at least pretty close to it.
I'll add: I don't know what my credit score is now --- it's probably better than it was, since I've had that dumb car-renting card for 6+ years --- but, knowing that my credit was bad enough that I couldn't get a non-secured card, including from my own bank after the wires for the Matasano acquisition cleared, and knowing that I had at the time a house and a car and all that stuff, and really no trouble ever getting a lease for any place I could afford the rent for, I find myself wondering a lot how much credit scores actually matter. If I'd thought that when I was 22, I'd say, "welp, I just don't have enough life experience to know". But I'm 42 now, and I have a bit of a hard time projecting to a point where I can see a clear reason to give a shit what number Equifax generates for me. Like, maybe I'll care a lot when I'm 62? I kind of doubt it, though.
> Credit cards --- bona fide, revolving-credit credit cards --- are so completely avoidable in modern life that I'm a little mystified as to why people get them at all.
Cash back and other rewards. They can add up if planned for properly—they aren't a life-changing amount of money or anything, but they're nice. Effectively, if you aren't using a high-fee card like American Express, you're subsidizing those of us who do use them (much to the chagrin of merchants). It's better to be on the receiving end of that subsidy, not the giving end.
> I find myself wondering a lot how much credit scores actually matter
I feel similarly mystified sometimes as I've never needed one. When my mom mentions paying off a CC bill, I think "why not just use debit?" Maybe she'll have to delay purchases or occasionally miss out on something, but it ends up being the same money.
There are also people who are below the income line of paycheck-to-paycheck, people with addictions, people who have jobs or lives with risk of injury and thus medical bills or unpaid leave for recovery, people who have a big family with needs they have to pay or travel for... and I feel people can use CCs because rich people culture pressures them to cling to things and the idea of being "successful" to attract peers and love interests... but that's just my subjective analysis.
Without a credit card, how do you buy anything online, or sign up for any SAAS? (the ones that don't accept Paypal, which is most). Using pre-paid Visa cards are possible sometimes (but not always accepted) but are also a hassle to manage as a primary payment method.
Booking travel online? All credit cards.
Renting a hotel or car can be next to impossible without a credit card to put down. Once I had to pay a $500 deposit to stay in a hotel for 1 night because I didn't have a credit card they could put on file.
We're talking about actual revolving credit credit cards, not debit cards. I understand that you need access to the Visa payment system to function in modern society, but you can trivially get access to that simply with a checking account.
It is absolutely not impossible to book a hotel room or rent a car without a credit card. This is a weird thing that HN seems to believe about consumer finance that has not all that much basis in reality. I book rooms exclusively on debit cards, and doubt there is really a hotel that will refuse to do that. You might not be able to book a car with Hertz, but who cares? Other major rental car companies take debit cards.
The Debit/Visa cards work for lots of things, but last I tried most places wouldn't accept them to have on file for damage deposits and such (hotels/cars). I have to admit, I haven't tried for about 5 years. A debit/visa is no different than a prepaid visa. On an actual credit card, they can push the charge through even if you don't have the money available (pushing you over your limit if needed). Visa/Debit and Prepaid Visa's can't go over the available balance.
I'm not sure about the sentiment on HN, but I'm speaking from personal experience. Any time I've tried to use a Debit/Visa when checking into a hotel they've required me to pay a deposit that was returned on checkout.
You’re not from the US. Debit means a whole different thing in the US. Unlike other countries, visa debit is functionally equivalent to a credit card, and the retailer doesn’t know the difference between visa debit run as credit vs visa credit.
Once I again, I have a credit card I use almost exclusively for renting cars, and I believe I invariably check into hotels using debit cards. I can't remember ever having a problem.
You can easily get through modern life without taking out a loan from the financial system. I'm 41 years old and I've never had a home or car loan. I have credit cards, but I easily could have gotten by using debit cards instead.
So your financial history is being tracked and scrutinized. At 41, you might be able to live and die without this being a big problem. In my 20s, I worry about my ability to secure healthcare and other such necessities in my later life based on a social credit score which includes financial credit history I never opted into. Just getting on a lease is enough for a credit pull. It's unavoidable.
This is just false. Lots of real estate organizations require a credit pull as part of your application. You aren't renting from the owner/landlord but from the property manager; there's no notion of just "pay a bigger deposit to make up for your lack of credit history".
It's also pretty much impossible to get through modern society without a credit card if you want to do anything crazy like, rent a car or reserve a hotel room.
That has not been my experience or the experience of many people that I know. Property managers care about risk. The risk of someone with low/no credit can almost always be mitigated with cash.
I discuss issues with renting cars and hotel rooms in sibling threads.
This may be true, but it's out-of-band. We need frameworks which ensure a level playing field, not tricks and loopholes which only allow the most cunning or fortunate of those with little credit to succeed in life.
You are ignoring the fact that not everyone's circumstances and opportunities are the same. You keep saying "easy" as if its an objective fact. Saying "I did this thing with these limits so anyone can" is dishonest and the implication meant by that is hostile to others.
Are you trying to say "not everyone has the cash on hand to put down a bigger security deposit?" If that's what you are trying to say, just say it. If that's not what you are trying to say then I don't understand your comment.
I am saying that amongst many other things which are self evident. Not everyone has the situation and finances you do. Not everyone has the same buying markets and opportunities you do. Not everyone can exist within their social, family, and work situations with your "truths" and "rules". One can exist without using electricity...doesn't make it comfortable or practical AND it's not an argument for the idea of entering into a third party holding and selling and not securing your info in order to get it.
I don't really understand why you are being defensive of bad practices and policies with the "nobody makes you sign up" argument. I never understand why people defend these things and blame the victims of them.
I'm not being defensive. I just honestly do not understand what point you are trying to make. I think that the things that you think are self evident are not self evident to me. Perhaps that is my failing. shrug
Now, it's nearly impossible unless you want a slumlord.
Maximum security deposits are set by the state. In my state it's illegal to require more than two months rent as a security deposit. Security deposit is defined by statute, you can't just call it "rent prepayment."
I apologize for breaking up our communication across this thread but you've made several fair points I would like to address.
Even my last apartment required a cosigner because of my lack of credit history. I don't have any family to turn to so I had to rely on the family of someone else. Many people don't even have that good fortune.
Less directly, I was illegally evicted from my first apartment (3 days to move out over burst pipes in a multi-unit dwelling which caused our unit to flood) and due to not having the credit to get a loan to hire a lawyer to defend me against a clear cut case, I was blacklisted by my vengeful landlord and banned from renting anywhere in that city. Only lease I managed to get in that city after that was because I was friends with the leasing agent. I also lost hundreds of dollars in furniture including some vintage pieces due to getting only 3 days notice to vacate.
This set me back tremendously; as you can see it's a bit of a feedback loop between bad credit and bad rental experiences.
is this CA and is this a pay in 3 days or quit notice you're talking about? because if it is, you don't have to leave in 3 days. you can wait for a default judgement and then the sheriff to come actually post notice to leave. that gets you about a month, not 3 days, which should be enough time to find a new place and move everything. burst pipes means you have a habitability defense, so you could have represented yourself in eviction court based on that, which at the very least would have given you more time to move out, if not compensation and the right to stay.
This is pretty clearly not the case. I rented in relatively hot markets --- there was actual bidding for the SOMA loft we got back around 2000! --- and I had bad credit (put differently: when I was renting, I would have had better credit had I no contact with the consumer credit system whatsoever), and my credit score never once kept me from getting a lease, or even changed the terms of a lease.
Based on everything I have read, as well as my own personal experience, I think you are exaggerating the seriousness of the situation. Do you have any evidence of this being the case?
My sister is currently renting a moldy basement (not a legal apartment) because of her poor credit. She's got two babies, she'd prefer better accommodations but that's all she could find with her credit. No evictions but several judgements against her.
You can absolutely do both of those things. I book and check in with debit cards routinely, and there are major carriers that rent cars on debit cards.
There's one gotcha though with using a Debit card for car hire where you cannot access the money for the holding deposit until the hold is released. Learnt that the hard way.
With a credit card it's not money you intended to use so you don't care - unlike cash in your debit account.
Booking a hotel without a credit card requires a deposit. I've had to pay up to a $500 deposit on a hotel stay before. Yeah you get the money back after, but not everyone has that type of money laying around.
Not to mention that the deposit will not be available until 3 to 5 business days after you check out. It usually takes that long for the release to go through. (because obviously in this day and age, technology is not yet fast enough to process a transaction in mere seconds).
Yes, some of those things (not the hotel room though, a debit card will do just fine for that) become more complicated without a credit card. But that is because you are, essentially, asking someone to loan you money. As soon as you start doing that it's reasonable for them to want to participate in a system that helps them understand how risky you are.
Plus, all that being said, you can still do all those things without a credit card. It'll just be somewhat more complicated.
Yes, if you want people to loan you money at low interest rates you have to agree to the system whereby if you don't pay things back the system will keep track of that and not loan you money at such low rates again.
What’s less reasonable is that you also have to participate in the system if you want a bank account or electricity or such. Or, heck, you don’t even need that; just have some fraudster open an account with your info and you’re in.
Opening a plain jane checking account won't impact your credit report. Neither will the vast majority of accounts with electric or other utility companies.
If a fraudster does something in your name, you can get things corrected. I agree that this can be more work than it should be, and would support regulations to make dealing with this easier.
Merely opening an account won’t. But if something goes wrong and they decide you owe money, that will. It’s not a certainty, but by just opening a checking account you are taking on an certain amount of risk that your info will be reported to the credit agency.
You can get your info corrected if you’re the victim of fraud. Can you get it deleted entirely, such that the credit bureau has no record of you, as if you never existed? Or is participation in the system not actually voluntary at all?
GDPR "opt-in" consent definition also says it must be possible to "opt-out" and still receive the service.
If the data is required for providing the service, no consent is needed, but you must be able to clearly show that the data is indeed an absolute requirement to provide the service.
Someone would probably be willing to write you a loan with opaque credit history, for the right price. But that price would be so high you'd never agree to pay it. (This is not the same as no credit history. No credit history means you have not taken out any loans before. An unknown history with credit, that you decline to reveal, is far worse).
Credit reporting is an immensely valuable institution, and a lot of that value gets passed down to borrowers.
I'm comfortable with the idea that "if you take out a loan, but don't pay us back, we're going to tell other people that you're a bigger credit risk" is an absolute requirement to provide the service.
It's certainly a requirement if you don't want the interest rates on loans to be much higher.
It wasn't always a requirement! They had other heuristics before they had credit scoring databases, like, "do your parents have an account here", and, "do you have the correct skin color and religious affiliation".
The fact you don't know about it doesn't mean it doesn't happen.
I have to laugh a little at the naivete of thinking that a credit reporting company shows you everything they know about you on a credit report. They don't even show you everything they show loan companies who pull your report.
Set standard loan terms according to worst-case credit risk. Offer personalized terms to those who agree to the data collection and processing necessary for personalization.
Subprime loan products already exist. They do typically run your credit, but they don't need to: the fact that you would pay for one says all that needs to be said. They're also typically offered under different branding from a respectable financial institution's loan products for people with good credit. An opt-in requirement for credit reporting only changes these basically cosmetic facts.
Better-than-worst-case credit history is immensely valuable. So valuable that a lender will cut you in on tens of thousands of dollars in savings for sharing it. Of all the things you could need opt-in consent for, it's an easy sell. Everyone would buy it. We'd be in the same position.
As reificator says, the idea is making headway. Politics require compromise. Ideally it would be opt-in, with strict regulations and severe penalties still in place.
Finance isn’t the only area that uses reputation judge people. I imagine we’ve all been asked for references when applying for a job or an apartment. Jobs and apartments manage to get by without a centralized score.
Mortgages predate credit scores by centuries. It’s demonstrably not necessary.
Many, if not all medium to large companies do in fact pull a limited credit report as part of the screening process. Also, there is far more regulation on mortgages these days. E.g. I can get a massive home loan from a banker I've never met before because of credit bureaus.
Maybe not - If a substantial number of potential borrowers are able to opt out, then lenders might start to find it worthwhile to find a way to accommodate them.
You can already opt out of that system, but you have to pay for that privilege.
There is already a good number of lending options available to the many (millions?) of people disenfranchised from the traditional banking system. Usually that means offering strong collateral.
But the terms of those options aren’t too great because trustworthiness and risk have a strong negative correlation. And those who can prove their trustworthiness almost always prefer to do that rather than pay extra.
In the US yes, in a lot of other country in the world they don't have a credit score as crazy as this. The only thing that's registered in the Netherlands for instance is how much you have to pay every month in interest and if you have failed to pay any of the bills for loans you have. This is submitted to the government and requested and updated by banks.
Technically you can still get loans and credit. It's just a lot harder and requires more underwriting and proof instead of having a single, handy Credit Score number attached to you from various agencies.
I wonder. When I bought my first house it was a very simple process because my finances were very simple. For the second, which I’m still in the process of finalizing, it’s been an absolute nightmare. Both my wife and I have credit scores above 800, but add just a few unusual financial elements to the mix and the underwriters start having aneurysms. Take away those nice shiny credit scores and I imagine many banks would flat out refuse to touch us.
Isn't this the definition of a red flag? All you are is a profile to them so any unusual activity is going to draw scrutiny whether it's warranted or not. They have to do due diligence.
Which is totally fair, I get that. It’s kind of my point: anything financially out of the ordinary, plus the massive (to them) red flag of no credit history, would be a very difficult obstacle to overcome in getting a loan.
5-second glance at the the stuff in the <head> shows pixels for: Google Ads, Facebook, Twitter, a bunch of other slimy stuff.
What the actual F. Who does that?
Edit: also, no content security policy, no subresource integrity for 3rd party scripts. Is there such a thing as filing a class action against the party handling the class action? This is downright irresponsible.
Edit: I see a couple of the 3rd party scripts have integrity, but most don't.
What he’s saying is that even if www.equifaxbreachsettlement.com isn’t using the 5 digits of your SSN for nefarious purposes, Google Ads, Facebook, Twitter, and other slimy companies are collecting this data. Even if FB, Twitter, Google et al aren’t using this data, it might be available to marketers who use these Ad platforms.
Please correct me if my explanation of the parent comment is wrong here.
I'm pretty sure you don't have a legal claim against a site because it doesn't use subresource integrity. Three quarters of the internet could be sued. Now if the company handling the claims _also_ loses your data, then maybe you'd have a shot at a case.
Note that many free credit monitoring services exist, and most credit cards nowadays have this feature available. These qualify you for the $125 payout.
Up to 10 hours effort ($250) can be claimed without documentation, for time spent battling or preventing ID theft. Preventing is probably key here, and could cover a lot of activities.
Really interesting! Does submitting a claim here prevent you from suing Equifax in small claims court? It seems possible that a $5000 may be worth my time.
Not only does submitting a claim prevent you from suing Equifax, the only way to preserve your right to sue is to actively exclude yourself from the settlement. See FAQs 19 and 23.
It appears that rule 23 of the Federal Rules of Civil Procedure binds even unnamed parties of a class action suit, unless they exclude themselves from an eligible suit.
If this breach affected 147M people (which is what I can find from various articles), and $700M was set aside (before attorney fees), and most claims will be $125, that's only ~4M people who will get $125.
Are they expecting very few people to file claims? Or what am I missing?
It sounds to me like they'll give you free credit monitoring, UNLESS YOU ALREADY HAD CREDIT MONITORING, then they'll give you $125. Most people don't have credit monitoring, I think. Personally, I've found the free credit monitoring that they gave me pretty useless. I get an email regularly telling me my score changed. I have to go log in and find out I went up 2 points because of an algorithm change. Thanks for looking out, Equifax! Then I go to a dealer and they pull my credit and it's dramatically higher than what Equifax has been telling me. The whole system seems silly to me.
It is either-or, not both. If you want the money you have to promise you have credit monitoring from somewhere else. Credit Karma (for example) counts as free credit monitoring and you can easily make an account before making the claim. Many credit cards come with monitoring too.
I have about four different free and offered after breach monitoring services. It seems to average about a new one breach and "monitoring" every couple of years recently.
According to the FAQ if more than $31 million in claims are made, the amount of the payment will be reduced. So, the number of people who can receive $125 is ~250,000. I can't imagine they'll get fewer claims than that given how many people were included in the breach.
That's just wild. Where's the rest of the money going?
> If there are more than $31 million claims for Alternative Reimbursement Compensation, all payments for Alternative Reimbursement Compensation will be lowered and distributed on a proportional basis.
No one is going to get $125, we’ll maybe get $5–without doing the math.
Supposedly only ~3% of eligible people make claims in a typical class action case (according to a r/personalfinance poster claiming they work around such cases).
Sounds like a great payout for the lawyers, but a terrible one for individuals. I bet you have to sign off on 'never holding equifax liable again for this breach' as part of your free monitoring
They can keep the $125 (although, I wish I could direct it to a charity). I don't want to submit all of this information to an entity who's data security is probably worse (hard to believe) than Equifax!
Exactly... and what about the losses that I may suffer in the future from this? If I take the $125 now, am I no longer entitled to free identity restoration? The effects of this are going to last longer than the class action suit. It's just a huge waste of time for everybody except the lawyers.
If you have any basic credit card, you probably have credit monitoring. It's included with most cards. Like, for example, my basic free Capital One card comes with free credit monitoring with CreditWise, which counts for this context.
Step 2, you can self certify up to 10 hours how much time you've spent on prevention or dealing with ID theft. That's $250. And if you can prove it with documentation, an additional 10 hours, for a total of $500.
The theoretical argument is that you should only be compensated for damages and incurred costs. If your information is leaked but no one used it, arguably there are no demonstrable damages. If you didn't purchase credit monitoring, you didn't incur any costs.
There are two reasonable answers, ignoring whatever is specified in the legalese which of course takes precedence:
1) It must be a third party service that you have entered into a business arrangement with, where the arrangement in clear and specific terms provides you with credit monitoring.
2) It must hold up in a court of law if challenged.
That second one is the anti-loophole provision of law, and protects against the kind of loopholes people try to find to get around the clear intent of the requirement.
You can choose to use any service that would hold up in a court of law. There are no clear answers on whether "any" service would. Time established, diversity of customers, active or inactive business, frequency of credit report inspection; all could be factors in a judicial evaluation of whether you complied with the terms or not. Capital One? Yes, they plausibly do offer credit monitoring as a service. Joe Bloe's Credit Woes? Entirely possible, if they've been around a while and can demonstrate that they pull credit reports on a regular basis and audit them in some manner.
Can you monitor it yourself? Only if you already operate a credit monitoring business. Otherwise, it'll fail the plausible test, and you lose your $125 + lawyer fees + risk angering a judge.
you're actually certifying that you will have credit monitoring for the next 6 months. i.e. you can sign up immediately before filling out the form and keep it for 6 months after.
I'm feeling a bit cynical, and I wonder if this will bring real changes? I happen to have a good friend at ReliaQuest, so I know that, after the data theft, Equifax hired ReliaQuest, and has slowly expanded that contract, giving more and more responsibility to ReliaQuest. My friend is an awesome engineer and ReliaQuest is a very good outfit, but still, I'm frustrated by the idea that the CEO of Equifax can simply outsource security and then not think about it any more. For companies that hold people's most sensitive data, I'd like the top person to be obsessed with security 24 hours a day. I wrote about this previously:
"If a company handles people’s sensitive financial data, then I would like the CEO to be the type of person who wakes up in the morning thinking about security, goes to sleep at night thinking about security, and never has security far from their mind during the day. So to hire a security company, and then act as if security is a solved problem, is troubling. There are many other ways for a company to be hacked. Social engineering is a danger, and most company hacks are inside jobs. Hiring a firm such as ReliaQuest does not protect you from having one of your own employees steal data and sell it to the Russians. Protecting against internal attacks requires hard thinking by the top leadership of the company. The job can not be outsourced."
No. A CEO runs every aspect of a business. While it might be a bad call outsourcing everything, they obviously want expertise rather than having to either rely on their current team that fucked up (which would be viewed as negative), or take some time to hire new people. Hiring new people takes time & isn’t reactionary. Everyone will want them to be seen to be doing something. Hiring an external company is possibly the best short term thing they could do.
I completed the request with specified damages from the breach. I recently received a letter saying my claim was denied as I had "failed to mail the documentation," however, there was no notice on the webform that I completed that required mailing the documentation.
You can only claim the $125 cash if you affirm that you're already paying for credit monitoring. While I don't expect anyone to confirm your claim, you do have to sign your name to a legal document stating as much. You can make additional compensation claims if you suffered actual damage or spent time dealing with the breach, but as I could not honestly claim such, I don't know what that part of the process entails.
“Class Counsel will ask the Court to award them attorneys’ fees of up to $77,500,000 and reimbursement for costs and expenses up to $3,000,000 to be paid from the Consumer Restitution Fund.”
Do you have custom rules enabled? I'm running the default uBlock Origin (version 1.18.6) on Firefox (60.8.0esr - company machine) and didn't have any problems. uBlock reports that it blocked seven requests to four domains (ads-twitter.com, bing.com, facebook.net and googletagmanager.com)
After all this site links to the law firm JND, but nowhere does JND mention this site. So any of us could have made this site.
Use the form below to find out if your information was impacted and if you are a class member.
Last Name _______
Last 6 Digits of Social Security Number ________