Hacker News new | past | comments | ask | show | jobs | submit login
Equifax doesn't want consumers to get their $125 (nytimes.com)
649 points by CaliforniaKarl 27 days ago | hide | past | web | favorite | 272 comments

Don't know if anyone posted this before, but if you scroll down to #25 here: https://www.equifaxbreachsettlement.com/faq

You can send a letter to the Courts and let them know why you do or don't think this is a sufficient and decent settlement.

Share it, let's get people writing in, because this lets Equifax keep really everything and in the end little real effect from their failure to take care of the information they were entrusted with.

Thanks for posting this. My wife and I already have credit monitoring so we’ve been very frustrated that it seems like Equifax will be weaseling out of paying us our $125 each. We’ll be sending a couple of letters today. Personally I’d like to see the courts rethink the settlement and force the $125 payout to everyone who requested it.

I'd like to see the courts force Equifax to pay $X to everyone whose information they leaked, whether they request it or not. But this settlement doesn't seem to be about actually punishing Equifax at all or fairly recompensing those affected.

This is a very, very imperfect method of figuring out the key question here ("Would Equifax just file for bankruptcy?"), but their enterprise value is ~$20B, and paying out $125 per person would cost over $18B, so it seems pretty clear you'd need to reduce the per person payout. It would take more work than I can put in right now to decide what it should be, but finger in the wind halving it seems like the right starting point.

Bankruptcy seems quite appropriate. They not only failed to maintain the security of the data, they also provided no identity theft protection to the public (unless you asked for it), and as a company appeared to have no plan for this event. Given that they were entrusted with the identity data for basically all Americans, that is inexcusable.

> Bankruptcy seems quite appropriate.

Hmm... Would not they just file for a Chapter 11 bankruptcy, restructure their debts (i.e., write those pesky $125 payments off), then emerge in a better shape than they were?

That's not how bankruptcy works. The court and trustee divide the assets across creditors according to debt seniority.

(i.e., write those pesky $125 payments off)

What does that mean? As far as I know, you can't just announce that you're "writing off" debts and have them magically disappear.

You sell the company at a low price to a friend and pay out the low sum to the plaintiffs. This would need approval under chapter 11, I guess, and if you sell the company it includes the debt, so they'd have to be tricky about it and just sell the meat or the milk, not the whole cow. Ironically, this invariably means selling the customer data (but also existing contracts and what not). IANAL

The bankruptcy judge and trustee wouldn't approve an asset sale at significantly less than fair market value.

Sorry, should have been more clear: I wasn't commenting on whether or not bankruptcy is fair to Equifax or not, I was meant "Would Equifax avoid paying the money out via bankruptcy protections (from which companies can actually emerge from in better position)?" I assumed the OP cared primarily about receiving the settlement.

> provided no identity theft protection to the public (unless you asked for it)

And unless you're _exceedingly_ careful and diligent, after a short period of time, you will be paying them to continue it.

Would bankruptcy be so bad? “Sorry, Equifax. Due to some recent financial irresponsibility, we’ve unfortunately had to lower your score. To zero.”

Clarified above, but I was thinking about likelihood of receiving the settlement, not fairness to Equifax. A settlement number so punitive it would put them out of business would substantially reduce the chances of those impacted receiving more than a token amount.

On the other hand, driving the value of their stock to zero would be a very effective deterrent against future bad behavior.

>On the other hand, driving the value of their stock to zero would be a very effective deterrent against future bad behavior.


Then, we can try killing people who commit heinous crimes, or at the very least lock them up for the duration of their lives. When you make a mistake, you and everyone around you should pay, regardless of their involvement or actual harm done to others. Dearly. Why has no one thought of this? I have no worries, because me and the work I do are without flaws. Sounds like Utopia.


But, really, I think a corporate "death penalty" would be much more justifiable than a corporeal one. The company can reform its business and try again; whatever's left of it (the ultimate shareholders) could even be made whole (with cash) if the decision was egregiously bad. Natural people, on the other hand, aren't coming back from the dead.

I don't follow the "perfection" part of your comment. I'm certainly not suggesting that this be the only remedy, but this is, as things go, pretty bad, and maybe it deserves a pretty harsh punishment.

If your business leaked millions of private records in a similar manner, would you expect to remain in business afterward?

As I clarified above, I was thinking about whether or not the 147M affected would actually receive anything, not about fairness of the punishment.

> I'd like to see the courts force Equifax to pay $X to everyone whose information they leaked, whether they request it or not.

Unfortunately I'm not sure that's an option:

"You can’t ask the Court to order a larger settlement; the Court can only approve or deny the settlement as it is."

Denying the settlement leaves open the possibility of a larger one. The court just can't order the subsequent negotiation have a specific result.

Which is not what the parent comment was going for. It said, "I'd like to see the courts force Equifax [...]".

Now it's just semantics. Denying the current settlement would inevitably result in a larger settlement, unless everyone appealing to the courts is saying that the $125 repayment is too much.

How is this just semantics? If they have to do things over, they might just reach a different settlement than paying individual people $X. Or heck, there's always a chance they won't agree and will have to battle it out in court. Or maybe something else that I can't think of. It might be likely that they'd come up with a better payment, but it seems far inevitable to me.

Is it just me who thinks that $125 would hardly cover the cost of dealing with a stolen identity?

You could file for additional compensation based on documented damages (time, cost, etc). I'm not sure if that came from a separate settlement or not (doubtful) or if the documentation requirements are even more onerous (likely), but there was definitely an option to do this.

Depending on how much you asked I suspect the documentation required would scale but at a certain threshold they'd probably just pay an individual $300 with minimal documentation.

But who knows, they've been pretty craven and uncaring throughout. CRAs are not very good companies, honestly.

You'll be asked what may be a bunch of superficially dismissing questions. They're in fact optional...

""" Option 1, Credit Monitoring: Free Service or Cash Payment

Option 2, Cash Payment: I want a cash payment of up to $125. I certify that I have credit monitoring and will have it for at least 6 months from today.

Current Credit Monitoring Service: Self

Cash Payment: Time Spent No spent time

Cash Payment: Money You Lost or Spent No money lost or spent

Supporting Documents No documents selected

How Would You Like to Receive Your Cash Payment Check """

To be clear, can anyone assumedly become a "Settlement Class Member" simply by being an American citizen or having an SSN (and thus being affected by the breach?)

edit: Thanks for replies; the answer is "no". You can check if you were affected on the settlement homepage under "I would like to..."

I was not affected by the breach, so a letter from me would not matter.

Small correction: you don't need to be an American "citizen" to be affected; it suffices to have credit history in the US (e.g. permanent residents, etc).

I think not quite everyone was affected, it was supposedly 147M people. You can check if your information was included in the breach on the settlement site.

I mentioned this myself earlier, but later I noticed 2 huge caveats I hadn't noticed before:

1. If you are a Settlement Class Member, you can object

2. Your objection letter must include: A statement as to whether you intend to appear at the Fairness Hearing

This means you cannot opt out and also object, and you also need to spend $$$ either traveling to the court or finding a lawyer to appear for you.

Not sure how many people are willing to do that.

The article mentions this, but the court will read all the objections. In reality, this means that a clerk will probably be tasked with reading and summarizing them for the judge, and the judge might read some of the most compelling or a selection of them. While it's probably less impactful than showing up, you can definitely object and exert some influence on the judge's decision.

> To be considered by the Court, your objection letter must be filed electronically with the Court by 11/19/2019

Do you know how to file the objection electronically ?

Has anyone publicly done the work to cite law/precedent to object to the fairness here? Certainly I can provide my own personal reasons, but citing law and previous settlements would bolster the case (and this specifically asks for it too)

If anyone is getting a mortgage or refinancing soon, ask your lender to 'drop' equifax without running your score with them - just take the score from the other two. Equifax is an unnecessary security and privacy risk.

They are a horrible company that needs to go out of business. Make their customers feel embarrassed to be doing business with them.

Do we really know for sure that the other bureau's are really any better, and not just lucky at this point?

It doesn't necessarily matter. If one of these companies is badly wounded by credibility problems... it can catalyze a wider change.

Alternatively, it could just consolidate the industry even more than it already is.

I swear this is the motto of hacker news. "Everything sucks and you're wasting your time trying to change it" - HN

In human systems (which software now enables) like oppressive government and corporations, often things do suck and vast powers are arrayed against the individual activist.

In peace and science, social justice and medicine, things have never been better.

Not just hacker news, it's pervasive in any community where people who value intelligence meet. It's because cynicism is a lazy shortcut to a 'smart opinion'.

How do we sound smart with zero effort? Well we don't want to be gullible (everything is good and fair!) so we do the opposite (everything is corrupt and bad!).

I really wish it were more than that.

I think you have hit on an actual insight here, but it's worth noting that it's of an extremely similarly cynical and broad-brush character to what you're talking about. :)

So what you're saying is, everyone says something is black (or white to appear smart), so therefore to appear actually smart, I should say everything is a shade of grey?

Everything is a shade of grey Seriously though, most of the time it actually is, and it's almost always more complex than we realize.

Saying something like "Amazon is good" well, that's an opinion, definitely grey. Saying "This is exactly 1 inch", well, it probably isn't and the more you care about it's accuracy, the harder it is to measure. Most things are like that. Clear cut at first, and increasingly more difficult the more precise you go. The devil is in the details.

So, yes, if the only options are black and white, the answers are generally easy, you've got a 50% chance of being wrong. As soon as you blur the line, you're basically wrong all the time. The goal is to be less wrong, and to improve, make progress.

I understand that the pervasive cynisicm can be exausting, but in the case of computer security, it really is warranted.

Does this actually work? Do bank employees have any control of the credit check process?

My lender always drops the lowest of the three scores, so I was able to just say "I'm going to keep looking at other lenders if you contact Equifax on my behalf. Can you agree to not use Equifax on this deal if I agree move forward today?" and it wasn't a problem.

Some of the larger lenders may not have this flexibility.

Yeah, instead of getting my lender to give me a better interest rate or a discount on fees, I'm going to instead use my negotiating leverage to make sure Equifax makes $20 less revenue.

Might as well not even vote. Your one votes can't turn the tide.

If you're in the position to be buying a house, voting is basically free. Ignoring a credit score when applying for a mortgage can be considerably more expensive.

That's not what they said though, they said they are gonna vote for whoever makes their life directly better in the relative short term.

Depending on where you live that can be very true.

That's why we get people like Trump.

He sure made some people's lives better.

Yes, but only a small demographic that actually votes.

If only 1% of the population actually votes, elected representatives will tend to represent that 1%. If you cede the centre ground you get extremists.

Say what you like about Trump, he managed to get his target demographic fired up and out to vote. $boring_reasonable_politician doesn't have the same ability by their nature to get people fired up, but we still need to vote for them.

Their loyalty lies mostly with campaign financers. If campaign financers want a different outcome than voters, they get it.

But then you're back to not voting and getting a Trump again.

Not voting is not a solution.

We're agreed on that.

When you say "$boring_reasonable_politician" I think Joe Biden. <yawn>

If what Trump did last election was getting them fired up, then this election they are going nuclear. Check out the massive waves of people at his rallies versus the trickles at the Dem's gatherings.

The next election is going to be decided by about 5% of the country that’s contested. Everyone else might as well not even bother filling in the box for president

Asimov's story takes this to its (extreme) logical conclusion:


There are more votes than just the presidential election.

Yeah that’s why I just said presidential a lot of other important elections that count on the downballot

Wasn't a problem? What do you think is more likely:

1) They didn't follow company procedure of which big banks insist employees follow otherwise the employees risk 'liability for not picking the 3 credit agencies'. Or

2) They lied and followed company procedure, and not tell you the outcome from them.

3) Your lender probably passed the request and got 1) or 2) later in the chain.

You're missing the most important outcome:

4) They insist they have to use Equifax, lose the deal, and note why in their records.

You mean, they insist you have to use Equifax, lose the deal, then then wonder what’s for lunch in the cafeteria today. Or most likely of all, every lender insists you have to use Equifax, and the people you interact with have no authority to even run your request up a management chain, let alone actually honor it.

reasons for losing sales get put in a database, and people pay attention when the same reason shows up repeatedly.

In my experience, nobody cares. I remember how long it took before Netflix finally supported a player on Linux desktop. And in the end, their decision had zero to do with customer demand or complaints for that feature.

You can log reasons for bad business outcomes all day long, millions and millions, and it won’t change corporate behavior.

Just pointing out that this analogy doesn't hold. Netflix's customer base running desktop Linux are a rounding error for the foreseeable future. 99% of any lender's customers would be at least somewhat pleased to drop Equifax and none of them receive any benefit from using Equifax's service over their competitors.

The amount of people who will actually demand a lender to omit Equifax is also complete roundoff error and insignificant compared with political dealing etc.

That is a self-fulfilling prophecy with no utility to the people making it.

Whatever it is, it’s just a fact of human behavior, and to understand the world around us, we ought to be honest about such facts and investigate how best to live in a world where such facts are true.

For instance, it might suggest that championing a grassroots boycott effort is a waste of time, and that perhaps putting that effort to lobby for laws by which these types of privacy breaches result in automatic prison time or high personal fines is a better option? Also not likely to succeed, but perhaps much more likely than asking rando consumers to not defect in their personal prisoner’s dilemma game with an unmoving corporate behemoth.

It's quite impressive how thoroughly the american consumer has been demoralized by these supposedly unmoving corporations.

> and it wasn't a problem.

That outcome is academic, as the parent specifically said it wasn't an issue.

What was your procedure for confirming they did anything but roll their eyes and go about their normal routine?

I kept Equifax frozen through the refinance

Sounds pretty suspicious. Like you have a really bad credit score on Equifax compared to the other two

In which case the Equifax score would have been dropped anyway. So the lender isn't in any worse position.

I guess Equifax has a low enough rep that it is less suspicious than for any other

lol “suspicious”, as if it matters

you realize you can say the wildest most unsophisticated things and they’ll just punch the numbers into a machine and get a “lend to this guy or not” result either way right?

At the very least, government sponsored entities should not give them money. I have tried to ask both Queens Borough Public Library and Research Foundation City University of New York (RF CUNY) but nobody I talk to has any authority on this matter.

I tried this when signing up for a Chase credit card and they said that it was their policy to use Equifax. (I had a credit freeze in place with Equifax at the time.)

You have to be willing to walk away if they say no, works best if the company cares about losing the deal - credit card signups might not be lucrative enough for a human to get involved and care.

Primary lenders ( the ones that actually lend their own money and at the end have the best rates -- arrived at adding the total expected cost of the APR plus add junk fees ) do not use non-automated underwriting for conforming loans. They win over the lenders that do not use automatic underwriting by tens of thousands of dollars.

Could someone explain what non-automated underwriting means? And what does confirming mean in this sense?

I get that they win compared to those who use more labor, but still some details would be nice :)

Automated underwriting is a computer program that takes your vital statistics as input (age, income, probably some illegal things like race and physical location of the house you're trying to buy [in RE lending, this is called "red-lining" and is illegal.]) and outputs a yes-or-no answer, sometimes with hints about what need to be changed to get a yes.

Manual underwriting is the same thing, only it's a person doing the same thing, and you can talk a person around.

Why might you need to do that? Well, I bought a rental building after I bought my primary residence, and I intended to move into the top unit in the building. Automated underwriting failed that because "primary home with more bedrooms and bathrooms" is "better" than "apartment in rental building" according to automated underwriting.

Since my lender also had manual underwriting, I was able to explain my situation to them, and why an apartment was preferable (I still don't understand why "I'll live there for a year to keep an eye on my investment" wasn't enough reason. They openly acknowledged that it was the superior way to do it, but it didn't move the needle on the formula)

Because one is a conforming loan and the other one is a non-conforming, which would mean that the issuer would have to hold the paper.

Strange. I've been assured hundreds of times on HN that computer algorithms are perfect and flawless, and that people are the problem.

Heck, Google built a billion-dollar business on making sure interfacing with wetware is a write-only process.

Using manual underwriting the poster above basically "lied" hence jeopardizing the portfolio. It worked for him but it was detrimental to the stability of the system.

> I get that they win compared to those who use more labor, but still some details would be nice :)

Mortgage portfolio performs best when its different portions match the exact specs of the models used to model the portfolio.

That basically means "plug in the numbers and receive an answer". That's automated underwriting. It is done pretty much exclusively for conforming loans: specific LTV, specific DTI of the borrowers, specific ranges of credit scores, specific amounts, specific points.

Manual underwriting is "In a view of a loan officer this mortgage should be ok".

People think that when they go to get a loan in a bank and sit down with a manager or a loan officer, they are getting manual underwriting. It is rarely the case -- most of the people on the other side just type in the answers into the software and it spits out the answer. That's what the likes of quickenloans and lending tree optimize and market.

Manual underwriting can be something like engineer #10 of WeWork shows up at a bank today and say "So, I want to buy that house for $5 million, and when We goes public I am going to be worth about 80mil, plus I still make my $250k a year". Most of the banks cannot handle this even though anyone with a brain should say 'Hmm... if he pledges all of the shares he currently owns plus all of his options and if he can get us in writing company's agreement that he can do that then we should totally loan him the money because his current holdings are worth $10m, he is borrowing $5m, and there are options that he should be able to exercise and he only has $80k in debt and his credit score is 675, so it seems he is ok. He is definitely a safer bet than that guy putting 25% down who will have only 10k in assets left after the first payment on a $2m loan we are giving. So if we are going to give a loan to the $2m guy, we should definitely give a loan to the WeWork engineer if he pledges his shares"

So there's an entire industry that exists which charges money for this "underwriting" when in reality it just sends the applications to a few banks that do it. But lots of people think that a mortgage broker can get them a better than deal a primary lender bank because of all the marketing. Those are the people that "won't pull Equifax because you asked"

Yeah, if I was a millionaire, I'd walk away.

I wanted the sign-up bonus. $800 of free money was too much to pass up in my financial situation.

This is the kind of situation where I think some regulation would help, e.g. federal law should allow me to decide which of the credit agencies they use.

Post-breach, both TransUnion and Equifax now work with CreditKarma to let you view your score and whether or not your report is locked, and they both let you create an online account with them as well to view your score or easily lock/unlock your credit report whenever you need to. Experian refuses to work with CreditKarma and only lets you "freeze" and unfreeze your account in the legally required way, which requires filling out a big form and resubmitting your Name, address and SSN every time you do it. To create a similar online account with them to manage lock/unlock status and view your score they charge an absurd fee of $20/month.

The problem with boycotting Equifax is I also want to boycott Experian. And in the future, maybe TransUnion will have a major issue, who knows.

Is the bank going to be cool with me boycotting the 2 biggest of them, or even all 3? Obviously not, so let's not pretend that consumer choice is a real way out of this mess.

Transunion, in my opinion, does it right. It's not a huge burden to get approved for anything because I have all my reports locked. However, transunion makes it very simple to lock/unlock.

This is why consumers need to organize to kill the worst one first.

Equifax has a poor reputation from the leak in addition to having an antisocial business model, so they are the most vulnerable.

You assume they still don't get paid when a credit report is run without asking for that burro. I don't see any evidence that this is how the fee structure works.

If not a lot of people are run through Equifax, their customers are going to ask themselves why they’re paying them.

That could at the very least give the customers leverage to negotiate the rates down, which would also hurt Equifax’s revenue stream.

Might not be a bad time for disruption by a blockchain https://bloom.co/

Wow, this is actually a great use case for blockchain

No it isn't. This would ensure that identity theft is a permanent and irreversible thing.

My lender wanted Equifax and Transunion only. I had no choice but to unfreeze it.

That's when you give them a 5 minute rant about how Equifax is bad for society and they should feel bad for supporting their business, then look for another lender.

I get benefits from my Equifax score and have made zero changes to my credit behavior, am aware of items on my credit report and am just as vulnerable to identity theft as all of you.

Its an objective acceptance of reality.

Typically I like to know which lenders check which score, so that I can strategically drop a hard inquiry on a particular reporting agency’s score, I use the multiple scores as a currency for maximum amounts of hard inquiries, as a hard inquiry temporarily lowers the score decreasing chances of approval or favorable lending terms. Once I hit two or three on Equifax, I will only apply with lenders that hit Transunion scores, etc. When the approvals go through my unutilized credit has increased so much that it has raised my scores more than the inquiries dropped them. When I actually go to apply for a mortgage I would be considered the most credit worthy borrower and save hundreds of thousands in interest payments.

I really don’t care about this crusade.

Everyone needs to realize that the whole "fine" was just an inside deal. Who do you think provides credit monitoring services? That's right, credit bureaus. That's why the they're pushing everyone to take the "free credit monitoring", so they recover the loss from the fine.

If they were to pay all 140 million people $125, the sum would be $17b or so, which is an appropriate fine.

You're right, $17B (or more, or dissolving the company) would start to actually spark off some real change in attitudes towards infosec among executives, instead of just continuing the status quo with this non-enforcement action.

The strangest part of this ordeal was when that guy from the FTC was encouraging consumers to take the monitoring on Equifax's request.

They're not even pretending to be regulated anymore, they just come out and tell the government what to say.

The senate report on this hack goes into lots of technical detail, savaging Equifax for their gross incompetence and negligence beat by beat: https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%2...

Despite all this provable negligence and incompetence all laid out in writing for everyone to see they still suffered zero real consequences. This is going to keep happening over and over and over again until we decide it's unacceptable.

I actually don't think taking the monitoring is a bad idea. The $125 will not amount to much and he knew that. The monitoring does include some type of identity theft insurance I believe which could actually end up costing Equifax a lot more.

Since the settlement amount was fixed, I don't see any reason the the ftc to encourage not taking it for the wrong reasons.

Too bad the total amount is fixed. I don't care about the $125. I want them to lose a substantial amount of money so that they and everybody else start taking this more seriously.

The insurance has to be some kind of joke, they lost the data. The thing they were insuring against has already happened.

It's doubly painful, because the "free credit monitoring" on offer is provided by Equifax -- the exact company whose competence we don't trust anymore. The compensation for being affected by Equifax's security failure is a gratis security offering from that same company. For crying out loud, they could have at least paid Experian or TransUnion to do the monitoring: while they are just as shady, we don't have immediate evidence of their security incompetence.

It's like if you purchased a product that exploded, injuring you, but somehow the manufacturer was permitted to compensate you by giving you other products they manufacture. Why would you want those products? How do you know they won't also explode?

> It's doubly painful, because the "free credit monitoring" on offer is provided by Equifax -- the exact company whose competence we don't trust anymore.

The free credit monitoring is provided by Experian, not Equifax. [1]

[1] https://www.equifaxbreachsettlement.com/

Oh neat, I must have glossed over that part. Egg on my face then. It's still not great, but significantly better than I thought it was.

Of the 10 years of "free" credit monitoring, the first 4 years is from Experian but the remainder is from Equifax.

If it only looks suspicious, it is. They all golf together.

There is actually a response from the FTC about concerns relating to the credit service being offered by Equifax themselves.

Therefore the agreement stipulates that the first four years of monitoring is provided by Experian, the final 6 years, though, is still Equifax.


Also as soon as the breach happened Equifax started running on TV ads promoting their monitoring service for a fee.

They also made money from people freezing their credit and unfreezing their credit they charge a fee to unfreeze the credit report. I can't remember the exact amount but I think they wanted $10 from me to unfreeze my credit report early so I just waited out the freeze period instead... Which was inconvenient.

The life-long increased susceptibility to identity theft is worth quite a lot more than $125.

There has been a bit of pain aside from the flimsy monetary damages. To date Equifax had to manage numerous lawsuits from municipal, state and federal jurisdictions. They were investigated by FTC, SEC, Consumer Financial Protection Bureau, UK Financial Conduct Authority, UK Information Commissioner’s Office (privacy regulator) and the Office of the Privacy Commissioner of Canada. Equifax had to attend congressional hearings conducted by the House Financial Services Committee, the Senate Banking, Housing, and Urban Affairs Committee, the Senate Judiciary Subcommittee on Privacy, Technology, and the Law, the House Energy and Commerce Subcommittee on Digital Commerce & Consumer Protection and the Senate Commerce, Science, and Transportation Subcommittee on Communications. The outcome aside from monetary penalties also should factor substantial reputation damages, costs of increased regulation at both the state and federal levels, CEO Richard Smith retirement, issuance of a public apology and the IRS suspended its contract with Equifax. Further lawsuits, hearings and regulation will continue to tax Equifax.

It seems like companies only get the message when there’s jail time involved. None of the companies would freeze my credit since their web sites said some unspecified value couldn’t be verified for me, despite confirming my data was indeed lost. Pretty sure, like other regulations that include jail time, this wouldn’t have happened or their website to freeze my credit would have worked.

I agree. Until someone's ass is on the line, and I mean in terms of prison time and not merely their job, the rational thing to do for a shitty company that never cared for its customers is to continue with that approach.

Of note, you and I are not the customers of Equifax, we are the product they are selling.

Too rhetorical, and not informative.

Forecasts of whether you'll make good on a promise to pay money are the product they're selling.

Just wanted to make the distinction that we are not the customer therefore, expectation to be treated as a customer are not going to be met. I was highlighting the frame of thinking and context that one should be using when thinking about their relationship with such entities. I could have delved deeper and specified that it is actually aggregate data, about us that is the actual product. My main point (which granted I could have been more clear on), was to emphasis that expectations will not be met if one thinks of themselves as a customer to a credit reporting agency. That is unless they work as an agent of an entity extending credit to consumers.

It was not my intention to be rhetorical nor to cast moral judgment, rather just to highlight that the relationship is different than that of a customer/business relationship.

Totally agree. Courts also need to be less hesitant to disband corporations that break laws or court orders. Too big to fail should go the way of the dodo.

I also tried to freeze my credit and their website required me to put something in the mail. I did, including sending copies of various documents, and never got any response. I have the same issue with one of the credit reporting bureaus. They refuse to give me my legally required free credit report despite multiple attempts and mailings.

Remember that "freecreditreport.com" is a scam.

The real FTC-mandated free site is "https://www.annualcreditreport.com".

They should have used a .gov site to reduce phishing risk.

Yep I use that one

IANAL and I have not tried this, but have heard of it working: would sending a letter threatening a lawsuit get their attention?

I would have to get an actual lawyer with a lawyer's letterhead for them to care, probably. I don't really want to spend hundreds of dollars to get my free credit report.

Would you still need a lawyer if you went to small claims court? Or would that be extortion?

I don't have damages to sue for.

I disagree, but I want to be clear that I disagree on practical, not ideological, grounds. As others have pointed out, handing out prison sentences for security breaches would be counterproductive. If we make it financially ruinous, companies are more likely to change their behavior in the way we want then to.

I think a CISO or CEO going to jail would send a strong message to the rest of the business community.

That message would be "silently cover up any data breaches and hope they don't get discovered", wouldn't it?

I think that sentiment is already prevalent.

I imagine arresting the Equifax Board of Directors, or similar, would have only have the effect of forcing security breaches back underground.

It should force better security practices, but I know, it is crazy talk.

Why is Hacker news so obsessed with sending people to jail? Literally every time any sort of corporation get's fined (for nearly anything), there is a loud call to send people to prison.

It's like there is this undercurrent of bloodthirstiness and hatred for large companies and their leaders that get's brought to the surface.

Because many times, the default "punishment" is a fine that is often times a _small percentage_ of the _profit_ from the illegal/negligent act.

That is not a punishment, or even a deterrent. And therefore, corporate leaders continue, unabated, doing things like this. Because there is effectively zero incentive to do so.

If you are a corporate officer, directing and / or approving policies that are illegal, tell me why you should -not- go to prison?

> If you are a corporate officer, directing and / or approving policies that are illegal, tell me why you should -not- go to prison?

You should and the law allows for this. Certain crimes will get corporate executives locked up. It's a matter of making stricter liabilities and sentences for these white collar crimes, which really should have happened yesterday.

I absolutely agree. I was addressing the parent, more - and their question of "why does HN have this obsession with sending people to prison for corporate/white collar crimes?"

Because frankly wealthy, successful, rich people like those leading equifax (and many other major corporations) are not punished in the same way normal people are.

>Why is Hacker news so obsessed with sending people to jail? Literally every time any sort of corporation get's fined (for nearly anything), there is a loud call to send people to prison.

Because that is the default response to poor people, yet corporations don't have the same threat. They effectively become immune to the law as long as they are willing to pay the extra tax.

Jail time means a lot to people who usually commit high-stakes white-collar crimes since they have a lot to lose in those cases. A very material risk of facing it would definiely help prevent others from committing those crimes.

If you slap them in the wrist and let them carry on with a fine it makes it very easy for a psychopath to just risk it.

If you read the post, the question is how to change the behavior, and in the US would be white collar criminals are dissuaded by jail. We could give them a social score too, that seems to work in China.

I can't tell if you're being serious, but for the love of freedom I hope you're not.

Maybe not jail time but I would really want the board to be personally responsible for what they did. Or, if they can argue that they made sure their corporation had a good security culture, the executives who broke the company regulations need to be personally responsible.

Seriously, someone needs to be rehabilitated from this before they can be sent back into society. After someone gets out of jail from grand theft auto they need to understand that what they did was wrong and treating people like that hurts them. I’m not saying the executives need jail time and emotional trauma, but at least some sort of therapy where they’re confronted with the fact that doing this stuff with a hundred million people is not nice and has consequences. They should fundamentally rethink their lives and what brought them to do such a careless thing with people’s data, just like a convicted felon.

Edit: made it clearer that I meant the decision makers, not all owners.

Re: “owners”

You know the “owners” of Equifax are its shareholders, right? You’d end up sending a bunch of index fund managers to jail, among others.

I think you mean “officers and board members,” the people who can make day to day decisions for the company. If so, I support it. Lock! Them! Up!

Yeah, that’s what I basically meant since they are supposed to represent the owners. I’ll fix the post.

Are we "consumers" now, rather than "victims" or "citizens"? Are we defined by what we buy?

Thank you... words matter... "unwitting victims" would be more like it. Or perhaps "American citizens". As your rhetorical question points out, we are not defined by what we buy.

I did not directly provide my personally identifying information to Equifax, yet they held (and continue to hold) it and disclosed it en masse through their organization's technical incompetence.

I did not "consume" anything from Equifax, and yet, that is the default word that every newspaper writer reaches for whenever they need to refer to a class of people affected by any economic activity.

"Consumer" implies passivity, and in my opinion, leads to a mass culture of learned helplessness and anxiety/depression by implying our only value is our position on the hedonic treadmill. Hyperbolic? Perhaps, but why not choose a different word?

> "unwitting victims" would be more like it. Or perhaps "American citizens".

Non-citizens residing in the US were also affected. As were previous US residents who got a credit card or home loan or bank account while here.

>Are we "consumers" now, rather than "victims" or "citizens"?



> Are we "consumers" now, rather than "victims" or "citizens"?

Are you a child, a parent, a sibling, or a citizen?

Or are you all of those things depending on context?

I get what you're saying, but you chose a way of expressing it which invites immediate response.

They were saying that in this context it should say victims.

Saying consumers changes the way it is read.

Following your logic try this one:

Equifax doesn't want children to get their $125

It reads differently.

Framing matters. The headline author chose what they thought would be the most salient feature of the class of affected people—or it was chosen for them, by precedent. And I take issue with the idea that we are in any meaningful way "consumers" of Equifax (one interpretation) or that we are best described in an offhand way as taking a passive role in society (another interpretation). Even if the latter is often true, it's something to struggle against, not accept as The Way of Things.

In an ideal world, a white-hat would write a script that uses all of the hacked data to apply for the settlement on behalf of the hacked users so that the affected users don't have to individually work out how to hack Equifax's claims process.

In an ideal world, a government agency would fine Equifax the full amount, and customers could claim their money from them instead.

Or better, liquidate Equifax entirely to demonstrate that there are consequences that a fancy law firm can't mitigate.

I realize that's wishful thinking. Of course they're going to get away with paying what is effectively a parking ticket. Nor will any of their executives face any meaningful repercussions.

Courts would also have to bar current board members and maybe even investors from founding another credit agency. Not good enough to kill the company, gotta make sure it doesn’t come back.

You're missing the point. There is no hack. You can claim, but in order to claim you need to provide evidence you have credit monitoring. So in order to get 31 cents from equifax you need to prove that you're using an expensive useless service that is either provided by equifax or one of their equally useless competitors.

The hacking was done in court.

Creditkarma is free. Several credit cards/banks also offer free/bundled credit monitoring.

Why should it be my responsibility to monitor their services in the first place? Even if you do get free credit monitoring it's just yet another technique to shift blame on to the customer

It really is insane that people buy these services. Do you hire a security guard to stand in front of the bank as well?

CreditKarma is a data mining operation that should not be trusted with your data.

Source? What data would they mining? Isn't credit data already available to the public?

Ive never heard of this either. Yes, they use your data to offer you cards and they get a kickback for you signing up, but data mining?

Lenders don't look at credit karma, so they are useless, can show you any number you like.

That's not how this works.

Credit Karma buys the data for their free product from Equifax. So if lenders look at Equifax (and they do) then that's the exact same data.

You might wonder, "But if their product is free and they spend money buying the data for it, how can that make financial sense?" and that's the thing most consumers don't understand. What's better than selling advertising? Selling actual _customers_. Nobody (to a first approximation) is looking at credit scoring because they're bored, they are looking because they want to borrow money - they are potential customers for a lender. So you sign into Credit Karma and it says you're doing well, and they suggest you could get this MegaBank Gold Card. In fact, they've checked and you'll definitely qualify, no risk. You sign up, and MegaBank give Credit Karma a bunch of money for _finding them a new customer_.

> Credit Karma buys the data for their free product from Equifax.

Well, sorta. Credit Karma uses VantageScore 3.0 (https://en.wikipedia.org/wiki/VantageScore), which is different from the various FICO offerings, sometimes substantially. VantageScore has four different generations.

FICO has over sixty variants - by credit bureau, relevant industry (there is, for example, a mortgage-specific calculation), and generation (FICO 8 vs FICO 9).

As a result, depending on what score offering they pull, your lender may see a number that's 100 points different than the one Credit Karma shows.

> So you sign into Credit Karma and it says you're doing well, and they suggest you could get this MegaBank Gold Card. In fact, they've checked and you'll definitely qualify, no risk.

This is another misconception. "Pre-approval" doesn't mean they actually ran the numbers; they just have stats on how many people with a similar VantageScore succeeded when they applied via CK's referral links. If you look closely, CK's "you're pre-approved!" tag actually has this disclaimer underneath it:

"90% of pre-approved applicants get this card. Approval not guaranteed; subject to checks."

I can't speak directly to the US experience because it's different. However I did work for the biggest UK credit reference agency (one of Equifax's rivals) not so very long ago.

In the UK there is no "FICO score" but consumers anyway believe a single three digit number "ought" to summarise their credit history and so the Credit Reference Agencies just make one up. I actually sat in on meetings when the rating were being changed where they argued about on the one hand a factor isn't relevant to most lenders any more, on the other hand consumers really _expect_ it to matter and are disappointed when it doesn't affect their score...

The intended consumers of credit data here all have proprietary algorithms to target audiences (rather than any of them relying on a simplistic "score") with a binary outcome, indeed your credit might be "too good" for some offerings. A card with 0% for 12 months is not aimed at people who'll use the card for 12 months then pay off the entire balance without flinching and walk away.

Definitely some of the offerings in the UK are approved based on knowing your _actual_ results in the proprietary algorithm because the card company is giving that algorithm (under legal agreement not to disclose it) to be used to ensure they only get given customers they'd accept. They're not "estimating" whether you'd be accepted. They don't want to waste their time on non-targets any more than the consumer wants to waste time applying for a card they won't get.

There will be some rate of non-acceptance for other reasons, but "not credit worthy" shouldn't be on the list, that's sort of the whole rationale for this business.

>'VantageScore has four different generations.'

What is a "generation" here?

I would be curious to hear if people view Kredit Karma as trustworthy. I think I didn't understand their business model prior to reading this. Thanks

A generation is an algorithm change. For example, in VantageScore 3.0 (used by Credit Karma), your utilization percentage doesn't have a "memory" - your score reflects only your current utilization level. In 4.0, utilization has a memory - if you've been running maxed-out cards for a year, and you pay it all off right before applying for more credit, your score doesn't improve as much as in 3.0.

There's a pretty good comparison at https://www.creditkarma.com/credit-cards/i/vantagescore-30/ between VS 3, VS 4, FICO 8, and FICO 9.

> I would be curious to hear if people view Kredit Karma as trustworthy.

I strongly suspect their card/loan recommendations (where they make the bulk of their revenue) are intended to steer users into the ones that earn them the most commission. You'd want to go into it with eyes wide open and do a lot of independent research.

Thanks for your response and links.

I should have qualified my question about the trustworthiness of Kredit Karma better. What I really meant to ask was are they trustworthy enough to hold one's data in exchange for using them as a monitoring service?

The point is not whether it's good or bad; the point is that it's a free service that allows you to tell Equifax truthfully that you want the check and not their free credit monitoring.

I have credit monitoring but signed up for it from this settlement anyway. I doubt anyone will see anymore than a couple of bucks from this. It's a scam and they got away with it. That's what happens when your government cares more about corporate profits than people. None of the things here will do anything to change that short of pursuing your own case against them which will definitely cost more than $125, not to mention time and effort. The bad guys just won. As usual.

Equifax cannot afford to pay $125 to each member of the potential class. It's way above their revenue, let alone profit. So they would go bankrupt and whatever cash is on hand would be divvied up. The credit information would presumably be sold to the highest bidder.

How about the FTC instead agrees that identities cannot be stolen and puts companies on the hook for the money they lose by not verifying identity. You have an account with a bank and they give the money to a fraudster? Well, then they have to credit your account and go looking for the money. Someone opens a loan in your name? The company has to pay you for the time spent removing their garbage from the credit report and they have to go get the money back from the fraudster. Why not just remove the bite from identity theft?

Their ability to pay would be limited by their assets, not revenue or profit. If they've been making profit for years, they might easily have enough cash. Also, their future profits can be borrowed against to pay for a one-time expense like this.

I have no idea whether they have the cash or not, I'm just pointing out that looking at their current revenue and income is not enough. :)

> Equifax cannot afford to pay $125 to each member of the potential class.

That’s not the victims’ problem. Even if Equifax has to be completely liquidated to cover the compensation, the government should fight to make an example of such a terrible company and give the victims some sense of justice. Hopefully the board and the executives would rethink their lives and careers, maybe even change.

It becomes the victims' problem when Equifax declares bankruptcy and escapes paying.

The upside is their competitors sees what happens to that guy and never make the same mistake.

A company the size of Equifax going bust due to negligence would show Experian, Lexis-Nexis, and Transunion that these records aren't assets but large liabilities to be handled with extreme diligence.

> How about the FTC instead agrees that identities cannot be stolen

Well, sure, if identities cannot be stolen, the whole problem is solved.

This whole process is a joke. I went and dug up my claim number, entered it into the site to amend, and the site just dies and doesn't allow me to proceed any further. If they had my contact info to begin with, just cut me a check and skip the shenanigans.

do you have a link? I can't find it. This same thing was happening to me when I first got the email

I just did it and it worked fine. followed the link from my email.

I'm definitely going to write a letter objecting to the settlement, and will urge everyone I know to do so as well.

I don't remember where I saw this, but I do remember reading that if you are going to object you cannot object to the settlement amount, just the settlement in general. And reasoning for the objection cannot be monetary.

To what? The Trump-controlled FTC? The castrated CFPB that now spends its time promoting a partnership with the most medieval red states called the "Financial Innovation Network" (https://www.consumerfinance.gov/about-us/newsroom/bureau-sta...)? Where do you think that's going to get you?

To the court. RTFA please.

The title of this post (which, admittedly, was taken from the NYTimes) isn't really correct.

The terms of the settlement have been set. Equifax's financial outlay is fixed. All of the post settlement divvying up of the funds is being administered by the government bodies who negotiated the settlement, not Equifax.

Equifax's desires about how the money gets divvied up at this point are irrelevant.

You're right. The title is not very accurate.

The text from the Equifax Settlement Administrator

> Your Equifax Claim: You Must Act by October 15, 2019 or Your Claim for Alternative Compensation Will Be Denied. The amount you receive in connection with your alternative compensation claim may be significantly reduced depending on how many valid claims are ultimately submitted by other class members for this relief. Based on the number of potentially valid claims that have been submitted to date, payments of these benefits likely will be substantially lowered and will be distributed on a proportional basis if the settlement becomes final. Depending on the number of valid claims that are filed, the amount you receive for alternative compensation may be a small percentage of your initial claim.

That text was just them fear mongering. Even the FTC urged to opt for the credit monitoring instead through more fear inducing statements.

> You can still choose the cash option on the claim form, but you will be disappointed with the amount you receive and you won’t get the free credit monitoring.

> https://www.ftc.gov/enforcement/cases-proceedings/refunds/eq...

But, if this is how the whole process is "administered", then I guess you might as well not have any hopes of seeing the compensation.

EDIT: Corrected to identify the authority of the email correctly.

Equifax didn't send you that email. If you read further down in the e-mail it even says "This email is from the Court-appointed settlement administrator, not Equifax."

Fair enough. That just makes the whole thing even worse. There's basically no hope in receiving the compensation anymore.

The vast majority of the settlement is designated for people who experience actual harm (identity theft of some kind basically) from the breach.

It's perfectly reasonable that people who's lives haven't been negatively impacted in any real way don't receive anything more than a token payment.

The alternative compensations was set at $31 million. And the cash compensations per person caps out at $20,000. If we start with this cap, the settlement was supposed to benefit only 1,550 individuals out of the 148 million records that were breached. Even if you assume just $125 per person, that number only benefits 248,000. So the number of people benefiting from this range between 1,550 and 248,000, if the original settlement claims were to be upheld. Instead, every claimant is now being asked to get credit monitoring from the same company that couldn't secure the records. To be fair, the FTC does suggest getting an alternative from Experian, but only in the FAQ.

The 31 million is for the people that haven't experienced any identity theft. This is the money being split up by all the people making $125 claims.

The total pool to pay out claims to consumer is 425 million. Subtracting the 31M that leaves 394 million for people who experience real harm. The $20,000 cap per person is for people drawing money from this pool.

Um, the FTC says otherwise.

> For consumers impacted by the Equifax breach, today’s settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach.


That consumer fund of $425 million was "supposed" to also cover protection from any potential incidents of identity theft. So, let's go with this pool then. Assuming there are 21,250 valid claims qualifying for the cap, is the settlement complete? There's no one left to compensate? I'd say clearly not. Are you willing to bet that only 0.01% of the breached credentials were misused? How did they even arrive at this number? Let's say we assume, it really is a number lower than that. With whatever's left, I'd be willing to bet, a significant number would not trust Equifax with monitoring anymore. Perhaps they even bought credit monitoring as a reaction to the breach. How do you compensate that? Which ever way you want to slice this, it's clearly insufficient.

That FTC statement says exactly what I said:

There is a 425 million pool. It's to be used for:

1) "time and money they spent to protect themselves from potential threats of identity theft" (the 31 million part)


2) "addressing incidents of identity theft as a result of the breach" (the 394 million part)

And yes, at some point both pools can be exhausted at which case there will be no more money for future claims. That's how a settlement works. Since there have currently been exactly 0 incidents of identity theft as a result of the breach it might not be so far fetched to say that there will be plenty of money in the pool to cover any incidents.

Your original comment, before you edited it, did not call that out. You specified the 425 million as only for people affected by the breach. And that's not what it was for. Anyhow, how do you know there have been exactly 0 incidents? Where do you even begin to trace any incident back to this breach as the cause? Claiming it as non-existent is a bit naive. The damage has been done. Your information is out there. Again, slice it anyway you want. Let's assume NO ONE has been ACTUALLY impacted. Let's go with identify theft protection. As a consumer, I don't trust Equifax anymore. Since they mishandled my data, it's perfectly valid for me to reject them and opt for another monitoring service I trust, which let's say I have to pay for. I am in the situation covering my bases because of Equifax. So, I expect them to compensate me for this service. Oh wait, there's no money left. Use our credit monitoring service or get wrecked. And this is ok? So, based on your statement, we're literally relying on a vast majority of people either opting for the credit monitoring from Equifax or not claiming any damages for the rest to receive any compensation? If that's OK, then I guess I'll stop engaging here.

There are numerous credit monitoring services you can use for free. There is no need for you to get any money to use one.

I personally like CreditKarma.com

It's not about you though. People have choices. They don't trust a free service, because you more often than not end up being the product. Again, not claiming Credit Karma sells your data (on the contrary the CEO claims it's only for selling ads based on your credit report)


But it's my choice as a consumer. Do you make all of your choices with only cost as the factor? Probably not. Or at least not when it comes to security. So, people will have their preferences. But apparently not, if you're party to this settlement.

Mostly agreed. My understanding is the divvying up is not a govt entity, and the judge still has to approve the settlement, which isn’t a foregone conclusion, so it’s not entirely true that Equifax is out of the woods. Also, the reputational damage hits them even if they’re not the proximate actor here.

I, for one, think it's kind of unfair that equifax is being blamed for the contents of communications it had no hand in crafting. Especially when the major organizations like the NYTimes are so unclear in their headline writing about what is actually going on.

I guess we disagree both on that this article was misleading and that Equifax doesn't deserve the blame.

Equifax had a lot of say in how this settlement played out. My guess is their legal team is trying to reduce the number of cash claimants so they don't get the bad press when $.02 checks get mailed out--or there's some other benefit in adding more steps to this silly process. Their legal team is representing their interests. Drawing attention reduces the likelihood this happens in future settlements. Focusing it on Equifax makes the story way more clear.

Saying "Equifax Data Breach Settlement Administrator" (taken from equifaxbreachsettlement.com) instead of "Equifax settlement team" (used in the article) doesn't seem appreciably different.

Saying "Equifax Data Breach Settlement Administrator" (taken from equifaxbreachsettlement.com) instead of "Equifax settlement team" (used in the article) doesn't seem appreciably different.

I agree those two aren't appreciably different. They are both bad if the writer doesn't make it clear that the team (no matter the name) isn't in the employ or under the influence of equifax in any way.

I guess I just put more responsibility on Equifax itself even if these actions were through an intermediary of theirs. This makes me think of the Tylenol tampering in the early 80's [1]. Johnson & Johnson's response wasn't court mandated (what doesn't seem to be mentioned is that it wasn't just a targeted recall, but a wide recall encompassing unaffected product in order to regain trust with consumers) Equifax chose their response to be court-mandated and minimal. Someone chose this representation that's creating additional hoops.

I'm glad to see them citing sources properly. I can understand your concern they're not emphasizing the right party, but I don't think that would really help. Most people think class-action settlements are a joke, which means they don't have faith in the legal system. If Equifax feels like their reputation is damaged after fulfilling their legal obligations, they're free to do more.

[1] https://en.wikipedia.org/wiki/Chicago_Tylenol_murders#Johnso...

even if these actions were through an intermediary of theirs

The Equifax Data Breach Settlement Administrator is not an intermediary of Equifax. It's a court appointed representative of the plaintiffs.

Someone chose this representation that's creating additional hoops.

Indeed, and that someone is the plaintiffs. Not the defendants.

I understand Equifax did not hire the Settlement Administrator. I still see Settlement Administrator as an intermediary for the Equifax legal case. Like you are saying, the parties here are the plaintiffs, defendants, and the legal system. I feel like focusing the Settlement Administrator just diffuses blame (for all we know they are just following the terms of the agreement). I think the article appropriately focuses on Equifax and how poorly the legal resolution is playing out.

I was a little confused by that. My best guess is that they're hoping that they can shuffle enough people off onto credit monitoring that the hundred million people getting a nickel apiece don't demand they re-open their settlement?

That seems unlikely. Perhaps they're hoping that some of their new credit monitoring customers will like it so much that they'll pay for the service after the term expires?

I chose the cash option because I have credit monitoring through 2025 from the OPM breach of my SF-86 (security clearance application information) years ago. This is so idiotic. The FTC did consumers no favors in negotiating such an absolutely pitiful settlement.

This is the sort of thing that millennials should focus our energy on. We may be politically polarized, but I think we can all agree that this is bullshit and needs to be fought.

Is Equifax actually liable or responsible for anything? No jail time or other penalties for executives. Okay so how are they held accountable?

They were incredibly negligent and nepotistic.

Their head of security, Susan Mauldin, had zero security or computer skills - she was a music teacher.


It appears that the higher you go up the corporate ladder, the more it is about connections rather than actual knowledge, to the point that knowledge carries almost zero weight and connections are everything. A lot of companies are like this, and most of them (including Equifax) are still going strong. Meritocracy at the bottom and nepotism at the top seems to be the deal.

Anyway, the last line of the article sums it up well: "Everything about this fiasco just gets more and more surreal."

Look at UK politicians as an example, they usually have no specialist training for their brief (the government department they direct) and often jump from one section to another.

There's a sense in which they have control of entire industry sectors, some higher learning or extended experience should really be required.

I think it's because their job is to make purely political decisions, leading to decisions that on the surface actually look insane.

This is the way the corporate world has always worked. The problem is when this world collides with software, where actually knowing what the hell you're doing matters.

> This is the way the corporate world has always worked.

To an extent, yes, but much more so now than in the past few decades. In the past, those who were senior exectives responsible for technical aspects of the company would usually be very strong technically, having worked their way up from more junior positions and gaining management training along the way.

Knowing what you're doing always mattered, but you don't need to be a qualified engineer to deploy software, unlike say, a building. I maintain that we need the title of 'software engineer' to really mean something, and for someone in a position like Chief Security Officer to be qualified as such. If a bridge collapsed due to the person responsible being a music teacher then you can bet there'd be jail time.

She graduated with a degree in music, so what? How many of your technical co-workers and colleagues have degrees in non-STEM fields? Probably more than a few. How many of us with actual CS degrees learned about security? I have both a BS/MS in CS, from a top school, and I never once had a class on security. Don't think one was even offered.

The question is what was her experience prior to being promoted? I have not kept track of this "scandal" since it started, but someone's education should not be a major factor.

All that said, she was pretty bad at her job.

> The question is what was her experience prior to being promoted?

I agree this is the real question. If someone doesn't have a related degree, but has the experience, that's one thing, however I've seen a handful of examples where someone with both and unrelated degree and barely, if any, relevant experience get high up technical positions (I assume mostly because of knowing the right people in a company where tech is a cost center)

She had 15 years of experience in increasingly senior positions. You have no idea what additional training or certifications she achieved. And the early Bloomberg reporting that detailed the hack painted her in a very positive light, trying to do the right things under pressure from more senior "leadership" to cut costs and speed things up.

Jail time for executives seems a little excessive for some employee merely failing to apply a security patch...

On the other hand, this settlement shouldn't have been capped at such a ridiculously low amount.

> Jail time for executives seems a little excessive for some employee merely failing to apply a security patch...

No, it's not. If you collect personal information of almost 150 million people, you have to take measures to protect that data.

If you fail to do that, you can't just say "oops, I didn't mean that"...

Apparently you can totally just say whoopsie. A bit backslash here, some penalties over there and it's fine, the sun comes up next day morning the same.

If you have not read the Equifax Data Breach Report put out by the US Congress, I highly recommend it. The security issues at Equifax went far beyond "failing to apply a security patch."


some employee

It’s not “some employee”. It’s an entire management hierarchy that failed to prioritise and budget for and create a culture around security best practices.

They made the conscious decision to monetize personal data belonging to more than a hundred million people. That means they should take every measure available to make sure something that sensitive is not released.

If this was the US Airforce who lost an armed nuclear ICBM the commanding officer who was ok with this ”whoopsie” would have to explain him or herself to quite a few officials.

There's so much truth here. There are soldiers and marines fighting land wars in Asia that have to go on life risking missions to retrieve lost tech that's ITAR or worth more than some monetary amount I think $15 or $20K or spend months filling out paperwork explaining the loss. But CRAs get a free ride.

> They made the conscious decision to monetize personal data belonging to more than a hundred million people. That means they should take every measure available

I disagree. I think it means they owe a hundred million people (a) an offer to opt-in to their service and (b) a share of their profits for doing so.

Yeah, I agree with that. Basically we want to use a and b as incentives for them to take every measure available not to fail like this ever again. And as incentives for everyone else in the business.

> merely failing to apply a security patch

...and leaking information about every working age adult in the US.

And having a music major as chief security officer.

And having sensitive data stored as plaintext.

Their entire business is about managing information. They failed to do the only thing they are supposed to do.

If you’re collecting personal and financial data points on over a hundred million people and one employee makes a mistakes that results in this kind of leak, as a leader you should be charged with with gross negligence. Why were there no guard rails in place? Why is one employee a single point of failure?

That's just what they want you to think. Really they just sold the data off on the international market.

I am 1000000‰ sure it is both.

Something I've wondered always wondered when reading through class actions: do multiple class actions suits over the same set of facts ever happen? Are they possible?

It seems technically possible: Class action settlement reached, somehow a huge portion of the impacted class opts out of the settlement (extremely unlikely, but possible). Opted out class members somehow organize a subsequent action.

Is the above possible? By opting out, you explicitly keep your own individual right to bring action against the defendant, but does it bar class action participation? There's a moral hazard argument that allowing this would create a perverse incentive on the part of the class legal representation to encourage class members to opt out of the settlement and organize subsequent actions.

I am not a lawyer, but to me if you signed up for class action, and you agreed that the $125 check supposed to be the payment for your damages and the other party backed off and did not provide it that means the agreement shouldn't be valid.

Disclaimer: IANAL (but did go to law school and vaguely paid attention to this part so lawyers, please correct my recollections where wrong)

My recollection is that, usually, only a small number of people actively sign up to the class during the lawsuit & settlement negotiation phase, and the named class is guaranteed a substantially higher payout. The settlement is worded as up to $X for the rest of the class, who can choose to accept the fact that the amount is not a guarantee or decline and keep their ability to bring a subsequent action (hence my original question of "Can you bring subsequent class action suits comprised of different subsets of the same impacted class?").

So basically, the people who actively signed up are getting a guarantee of an amount they negotiated, the rest of us are stuck deciding how valuable "up to" $125 actually is.

We really need accountability for stake holders who discount security concerns because some cool widget "adds value" and everyone else is doing it.

Honestly.. send these people to jail make an example out of them.. hopefully people will think twice.

Question not specifically related to the settlement:

Shouldn't this breach of nearly half of all Americans' social security numbers be the nail in the coffin of pretending SSNs are a secret that can be used to verify your identity?

We're all going to wind up with closer to $1.25. Wow. Thanks for the bean burrito.

tl;dr: For those who applied for the $125 payout option in the Equifax data breach settlement, you should've gotten an email requiring that you provide more information by October 15, or that your claim would be denied.

The FTC confirms it's legit: https://www.ftc.gov/enforcement/cases-proceedings/refunds/eq... (FAQ 4 item 2)

The article's author says Gmail filed it into the 'Promotions' folder.

FWIW the Equifax email didn't go to Promotions for me, it was in the regular Gmail inbox, and marked "Important".

The information required is only a single input where you type the name of your credit monitoring service, and affirm you will continue to use it for at least 6 months.

Not a high bar to clear. Mint.com offers credit monitoring for free, as do a number of credit cards.

I received no such email and I signed up fairly quickly for the $125. I've checked my spam folder as well as everywhere else, they simply haven't sent me such an email.

Neither did I. Does anyone know what to do in this case? I have my Equifax claim code.

Go to the claim web site and choose to 'Modify/Amend Your Claim'. There should be a place now for you to specify which credit-monitoring service you are using.

Unfortunately I have no such claim code. I also don't remember receiving one and there was never a confirmation email sent. If there was one on the screen, I regret not saving it. It's sad and frustrating the lengths they are going to, to make sure they pay so very little for screwing so many people.

I also haven't gotten anything from them, yet!

> The article's author says Gmail filed it into the 'Promotions' folder.

Yeah, but they have to contact people by email because they don't have anyone's physical home address.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact