You can send a letter to the Courts and let them know why you do or don't think this is a sufficient and decent settlement.
Share it, let's get people writing in, because this lets Equifax keep really everything and in the end little real effect from their failure to take care of the information they were entrusted with.
Hmm... Would not they just file for a Chapter 11 bankruptcy, restructure their debts (i.e., write those pesky $125 payments off), then emerge in a better shape than they were?
What does that mean? As far as I know, you can't just announce that you're "writing off" debts and have them magically disappear.
And unless you're _exceedingly_ careful and diligent, after a short period of time, you will be paying them to continue it.
Then, we can try killing people who commit heinous crimes, or at the very least lock them up for the duration of their lives. When you make a mistake, you and everyone around you should pay, regardless of their involvement or actual harm done to others. Dearly. Why has no one thought of this? I have no worries, because me and the work I do are without flaws. Sounds like Utopia.
But, really, I think a corporate "death penalty" would be much more justifiable than a corporeal one. The company can reform its business and try again; whatever's left of it (the ultimate shareholders) could even be made whole (with cash) if the decision was egregiously bad. Natural people, on the other hand, aren't coming back from the dead.
I don't follow the "perfection" part of your comment. I'm certainly not suggesting that this be the only remedy, but this is, as things go, pretty bad, and maybe it deserves a pretty harsh punishment.
Unfortunately I'm not sure that's an option:
"You can’t ask the Court to order a larger settlement; the Court can only approve or deny the settlement as it is."
But who knows, they've been pretty craven and uncaring throughout. CRAs are not very good companies, honestly.
Option 1, Credit Monitoring: Free Service or Cash Payment
Option 2, Cash Payment: I want a cash payment of up to $125. I certify that I have credit monitoring and will have it for at least 6 months from today.
Current Credit Monitoring Service: Self
Cash Payment: Time Spent
No spent time
Cash Payment: Money You Lost or Spent
No money lost or spent
No documents selected
How Would You Like to Receive Your Cash Payment
edit: Thanks for replies; the answer is "no". You can check if you were affected on the settlement homepage under "I would like to..."
I was not affected by the breach, so a letter from me would not matter.
1. If you are a Settlement Class Member, you can object
2. Your objection letter must include: A statement as to whether you intend to appear at the Fairness Hearing
This means you cannot opt out and also object, and you also need to spend $$$ either traveling to the court or finding a lawyer to appear for you.
Not sure how many people are willing to do that.
Do you know how to file the objection electronically ?
They are a horrible company that needs to go out of business. Make their customers feel embarrassed to be doing business with them.
In peace and science, social justice and medicine, things have never been better.
How do we sound smart with zero effort? Well we don't want to be gullible (everything is good and fair!) so we do the opposite (everything is corrupt and bad!).
I really wish it were more than that.
Saying something like "Amazon is good" well, that's an opinion, definitely grey. Saying "This is exactly 1 inch", well, it probably isn't and the more you care about it's accuracy, the harder it is to measure. Most things are like that. Clear cut at first, and increasingly more difficult the more precise you go. The devil is in the details.
So, yes, if the only options are black and white, the answers are generally easy, you've got a 50% chance of being wrong. As soon as you blur the line, you're basically wrong all the time. The goal is to be less wrong, and to improve, make progress.
Some of the larger lenders may not have this flexibility.
If only 1% of the population actually votes, elected representatives will tend to represent that 1%. If you cede the centre ground you get extremists.
Say what you like about Trump, he managed to get his target demographic fired up and out to vote. $boring_reasonable_politician doesn't have the same ability by their nature to get people fired up, but we still need to vote for them.
Not voting is not a solution.
If what Trump did last election was getting them fired up, then this election they are going nuclear. Check out the massive waves of people at his rallies versus the trickles at the Dem's gatherings.
1) They didn't follow company procedure of which big banks insist employees follow otherwise the employees risk 'liability for not picking the 3 credit agencies'. Or
2) They lied and followed company procedure, and not tell you the outcome from them.
3) Your lender probably passed the request and got 1) or 2) later in the chain.
4) They insist they have to use Equifax, lose the deal, and note why in their records.
You can log reasons for bad business outcomes all day long, millions and millions, and it won’t change corporate behavior.
For instance, it might suggest that championing a grassroots boycott effort is a waste of time, and that perhaps putting that effort to lobby for laws by which these types of privacy breaches result in automatic prison time or high personal fines is a better option? Also not likely to succeed, but perhaps much more likely than asking rando consumers to not defect in their personal prisoner’s dilemma game with an unmoving corporate behemoth.
That outcome is academic, as the parent specifically said it wasn't an issue.
you realize you can say the wildest most unsophisticated things and they’ll just punch the numbers into a machine and get a “lend to this guy or not” result either way right?
I get that they win compared to those who use more labor, but still some details would be nice :)
Manual underwriting is the same thing, only it's a person doing the same thing, and you can talk a person around.
Why might you need to do that? Well, I bought a rental building after I bought my primary residence, and I intended to move into the top unit in the building. Automated underwriting failed that because "primary home with more bedrooms and bathrooms" is "better" than "apartment in rental building" according to automated underwriting.
Since my lender also had manual underwriting, I was able to explain my situation to them, and why an apartment was preferable (I still don't understand why "I'll live there for a year to keep an eye on my investment" wasn't enough reason. They openly acknowledged that it was the superior way to do it, but it didn't move the needle on the formula)
Heck, Google built a billion-dollar business on making sure interfacing with wetware is a write-only process.
Mortgage portfolio performs best when its different portions match the exact specs of the models used to model the portfolio.
That basically means "plug in the numbers and receive an answer". That's automated underwriting. It is done pretty much exclusively for conforming loans: specific LTV, specific DTI of the borrowers, specific ranges of credit scores, specific amounts, specific points.
Manual underwriting is "In a view of a loan officer this mortgage should be ok".
People think that when they go to get a loan in a bank and sit down with a manager or a loan officer, they are getting manual underwriting. It is rarely the case -- most of the people on the other side just type in the answers into the software and it spits out the answer. That's what the likes of quickenloans and lending tree optimize and market.
Manual underwriting can be something like engineer #10 of WeWork shows up at a bank today and say "So, I want to buy that house for $5 million, and when We goes public I am going to be worth about 80mil, plus I still make my $250k a year". Most of the banks cannot handle this even though anyone with a brain should say 'Hmm... if he pledges all of the shares he currently owns plus all of his options and if he can get us in writing company's agreement that he can do that then we should totally loan him the money because his current holdings are worth $10m, he is borrowing $5m, and there are options that he should be able to exercise and he only has $80k in debt and his credit score is 675, so it seems he is ok. He is definitely a safer bet than that guy putting 25% down who will have only 10k in assets left after the first payment on a $2m loan we are giving. So if we are going to give a loan to the $2m guy, we should definitely give a loan to the WeWork engineer if he pledges his shares"
So there's an entire industry that exists which charges money for this "underwriting" when in reality it just sends the applications to a few banks that do it. But lots of people think that a mortgage broker can get them a better than deal a primary lender bank because of all the marketing. Those are the people that "won't pull Equifax because you asked"
I wanted the sign-up bonus. $800 of free money was too much to pass up in my financial situation.
This is the kind of situation where I think some regulation would help, e.g. federal law should allow me to decide which of the credit agencies they use.
The problem with boycotting Equifax is I also want to boycott Experian. And in the future, maybe TransUnion will have a major issue, who knows.
Is the bank going to be cool with me boycotting the 2 biggest of them, or even all 3? Obviously not, so let's not pretend that consumer choice is a real way out of this mess.
Equifax has a poor reputation from the leak in addition to having an antisocial business model, so they are the most vulnerable.
That could at the very least give the customers leverage to negotiate the rates down, which would also hurt Equifax’s revenue stream.
Its an objective acceptance of reality.
Typically I like to know which lenders check which score, so that I can strategically drop a hard inquiry on a particular reporting agency’s score, I use the multiple scores as a currency for maximum amounts of hard inquiries, as a hard inquiry temporarily lowers the score decreasing chances of approval or favorable lending terms. Once I hit two or three on Equifax, I will only apply with lenders that hit Transunion scores, etc. When the approvals go through my unutilized credit has increased so much that it has raised my scores more than the inquiries dropped them. When I actually go to apply for a mortgage I would be considered the most credit worthy borrower and save hundreds of thousands in interest payments.
I really don’t care about this crusade.
If they were to pay all 140 million people $125, the sum would be $17b or so, which is an appropriate fine.
The strangest part of this ordeal was when that guy from the FTC was encouraging consumers to take the monitoring on Equifax's request.
They're not even pretending to be regulated anymore, they just come out and tell the government what to say.
The senate report on this hack goes into lots of technical detail, savaging Equifax for their gross incompetence and negligence beat by beat: https://www.hsgac.senate.gov/imo/media/doc/FINAL%20Equifax%2...
Despite all this provable negligence and incompetence all laid out in writing for everyone to see they still suffered zero real consequences. This is going to keep happening over and over and over again until we decide it's unacceptable.
Since the settlement amount was fixed, I don't see any reason the the ftc to encourage not taking it for the wrong reasons.
It's like if you purchased a product that exploded, injuring you, but somehow the manufacturer was permitted to compensate you by giving you other products they manufacture. Why would you want those products? How do you know they won't also explode?
The free credit monitoring is provided by Experian, not Equifax. 
Therefore the agreement stipulates that the first four years of monitoring is provided by Experian, the final 6 years, though, is still Equifax.
They also made money from people freezing their credit and unfreezing their credit they charge a fee to unfreeze the credit report. I can't remember the exact amount but I think they wanted $10 from me to unfreeze my credit report early so I just waited out the freeze period instead... Which was inconvenient.
Forecasts of whether you'll make good on a promise to pay money are the product they're selling.
It was not my intention to be rhetorical nor to cast moral judgment, rather just to highlight that the relationship is different than that of a customer/business relationship.
The real FTC-mandated free site is "https://www.annualcreditreport.com".
It's like there is this undercurrent of bloodthirstiness and hatred for large companies and their leaders that get's brought to the surface.
That is not a punishment, or even a deterrent. And therefore, corporate leaders continue, unabated, doing things like this. Because there is effectively zero incentive to do so.
If you are a corporate officer, directing and / or approving policies that are illegal, tell me why you should -not- go to prison?
You should and the law allows for this. Certain crimes will get corporate executives locked up. It's a matter of making stricter liabilities and sentences for these white collar crimes, which really should have happened yesterday.
Because that is the default response to poor people, yet corporations don't have the same threat. They effectively become immune to the law as long as they are willing to pay the extra tax.
If you slap them in the wrist and let them carry on with a fine it makes it very easy for a psychopath to just risk it.
Seriously, someone needs to be rehabilitated from this before they can be sent back into society. After someone gets out of jail from grand theft auto they need to understand that what they did was wrong and treating people like that hurts them. I’m not saying the executives need jail time and emotional trauma, but at least some sort of therapy where they’re confronted with the fact that doing this stuff with a hundred million people is not nice and has consequences. They should fundamentally rethink their lives and what brought them to do such a careless thing with people’s data, just like a convicted felon.
Edit: made it clearer that I meant the decision makers, not all owners.
You know the “owners” of Equifax are its shareholders, right? You’d end up sending a bunch of index fund managers to jail, among others.
I think you mean “officers and board members,” the people who can make day to day decisions for the company. If so, I support it. Lock! Them! Up!
I did not directly provide my personally identifying information to Equifax, yet they held (and continue to hold) it and disclosed it en masse through their organization's technical incompetence.
I did not "consume" anything from Equifax, and yet, that is the default word that every newspaper writer reaches for whenever they need to refer to a class of people affected by any economic activity.
"Consumer" implies passivity, and in my opinion, leads to a mass culture of learned helplessness and anxiety/depression by implying our only value is our position on the hedonic treadmill. Hyperbolic? Perhaps, but why not choose a different word?
Non-citizens residing in the US were also affected. As were previous US residents who got a credit card or home loan or bank account while here.
Are you a child, a parent, a sibling, or a citizen?
Or are you all of those things depending on context?
I get what you're saying, but you chose a way of expressing it which invites immediate response.
Saying consumers changes the way it is read.
Following your logic try this one:
Equifax doesn't want children to get their $125
It reads differently.
I realize that's wishful thinking. Of course they're going to get away with paying what is effectively a parking ticket. Nor will any of their executives face any meaningful repercussions.
The hacking was done in court.
Credit Karma buys the data for their free product from Equifax. So if lenders look at Equifax (and they do) then that's the exact same data.
You might wonder, "But if their product is free and they spend money buying the data for it, how can that make financial sense?" and that's the thing most consumers don't understand. What's better than selling advertising? Selling actual _customers_. Nobody (to a first approximation) is looking at credit scoring because they're bored, they are looking because they want to borrow money - they are potential customers for a lender. So you sign into Credit Karma and it says you're doing well, and they suggest you could get this MegaBank Gold Card. In fact, they've checked and you'll definitely qualify, no risk. You sign up, and MegaBank give Credit Karma a bunch of money for _finding them a new customer_.
Well, sorta. Credit Karma uses VantageScore 3.0 (https://en.wikipedia.org/wiki/VantageScore), which is different from the various FICO offerings, sometimes substantially. VantageScore has four different generations.
FICO has over sixty variants - by credit bureau, relevant industry (there is, for example, a mortgage-specific calculation), and generation (FICO 8 vs FICO 9).
As a result, depending on what score offering they pull, your lender may see a number that's 100 points different than the one Credit Karma shows.
> So you sign into Credit Karma and it says you're doing well, and they suggest you could get this MegaBank Gold Card. In fact, they've checked and you'll definitely qualify, no risk.
This is another misconception. "Pre-approval" doesn't mean they actually ran the numbers; they just have stats on how many people with a similar VantageScore succeeded when they applied via CK's referral links. If you look closely, CK's "you're pre-approved!" tag actually has this disclaimer underneath it:
"90% of pre-approved applicants get this card. Approval not guaranteed; subject to checks."
In the UK there is no "FICO score" but consumers anyway believe a single three digit number "ought" to summarise their credit history and so the Credit Reference Agencies just make one up. I actually sat in on meetings when the rating were being changed where they argued about on the one hand a factor isn't relevant to most lenders any more, on the other hand consumers really _expect_ it to matter and are disappointed when it doesn't affect their score...
The intended consumers of credit data here all have proprietary algorithms to target audiences (rather than any of them relying on a simplistic "score") with a binary outcome, indeed your credit might be "too good" for some offerings. A card with 0% for 12 months is not aimed at people who'll use the card for 12 months then pay off the entire balance without flinching and walk away.
Definitely some of the offerings in the UK are approved based on knowing your _actual_ results in the proprietary algorithm because the card company is giving that algorithm (under legal agreement not to disclose it) to be used to ensure they only get given customers they'd accept. They're not "estimating" whether you'd be accepted. They don't want to waste their time on non-targets any more than the consumer wants to waste time applying for a card they won't get.
There will be some rate of non-acceptance for other reasons, but "not credit worthy" shouldn't be on the list, that's sort of the whole rationale for this business.
What is a "generation" here?
I would be curious to hear if people view Kredit Karma as trustworthy. I think I didn't understand their business model prior to reading this. Thanks
There's a pretty good comparison at https://www.creditkarma.com/credit-cards/i/vantagescore-30/ between VS 3, VS 4, FICO 8, and FICO 9.
> I would be curious to hear if people view Kredit Karma as trustworthy.
I strongly suspect their card/loan recommendations (where they make the bulk of their revenue) are intended to steer users into the ones that earn them the most commission. You'd want to go into it with eyes wide open and do a lot of independent research.
I should have qualified my question about the trustworthiness of Kredit Karma better. What I really meant to ask was are they trustworthy enough to hold one's data in exchange for using them as a monitoring service?
How about the FTC instead agrees that identities cannot be stolen and puts companies on the hook for the money they lose by not verifying identity. You have an account with a bank and they give the money to a fraudster? Well, then they have to credit your account and go looking for the money. Someone opens a loan in your name? The company has to pay you for the time spent removing their garbage from the credit report and they have to go get the money back from the fraudster. Why not just remove the bite from identity theft?
I have no idea whether they have the cash or not, I'm just pointing out that looking at their current revenue and income is not enough. :)
That’s not the victims’ problem. Even if Equifax has to be completely liquidated to cover the compensation, the government should fight to make an example of such a terrible company and give the victims some sense of justice. Hopefully the board and the executives would rethink their lives and careers, maybe even change.
A company the size of Equifax going bust due to negligence would show Experian, Lexis-Nexis, and Transunion that these records aren't assets but large liabilities to be handled with extreme diligence.
Well, sure, if identities cannot be stolen, the whole problem is solved.
The terms of the settlement have been set. Equifax's financial outlay is fixed. All of the post settlement divvying up of the funds is being administered by the government bodies who negotiated the settlement, not Equifax.
Equifax's desires about how the money gets divvied up at this point are irrelevant.
The text from the Equifax Settlement Administrator
> Your Equifax Claim: You Must Act by October 15, 2019 or Your Claim for Alternative Compensation Will Be Denied. The amount you receive in connection with your alternative compensation claim may be significantly reduced depending on how many valid claims are ultimately submitted by other class members for this relief. Based on the number of potentially valid claims that have been submitted to date, payments of these benefits likely will be substantially lowered and will be distributed on a proportional basis if the settlement becomes final. Depending on the number of valid claims that are filed, the amount you receive for alternative compensation may be a small percentage of your initial claim.
That text was just them fear mongering. Even the FTC urged to opt for the credit monitoring instead through more fear inducing statements.
> You can still choose the cash option on the claim form, but you will be disappointed with the amount you receive and you won’t get the free credit monitoring.
But, if this is how the whole process is "administered", then I guess you might as well not have any hopes of seeing the compensation.
EDIT: Corrected to identify the authority of the email correctly.
It's perfectly reasonable that people who's lives haven't been negatively impacted in any real way don't receive anything more than a token payment.
The total pool to pay out claims to consumer is 425 million. Subtracting the 31M that leaves 394 million for people who experience real harm. The $20,000 cap per person is for people drawing money from this pool.
> For consumers impacted by the Equifax breach, today’s settlement will make available up to $425 million for time and money they spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach.
That consumer fund of $425 million was "supposed" to also cover protection from any potential incidents of identity theft. So, let's go with this pool then. Assuming there are 21,250 valid claims qualifying for the cap, is the settlement complete? There's no one left to compensate? I'd say clearly not. Are you willing to bet that only 0.01% of the breached credentials were misused? How did they even arrive at this number? Let's say we assume, it really is a number lower than that. With whatever's left, I'd be willing to bet, a significant number would not trust Equifax with monitoring anymore. Perhaps they even bought credit monitoring as a reaction to the breach. How do you compensate that? Which ever way you want to slice this, it's clearly insufficient.
There is a 425 million pool. It's to be used for:
1) "time and money they spent to protect themselves from potential threats of identity theft" (the 31 million part)
2) "addressing incidents of identity theft as a result of the breach" (the 394 million part)
And yes, at some point both pools can be exhausted at which case there will be no more money for future claims. That's how a settlement works. Since there have currently been exactly 0 incidents of identity theft as a result of the breach it might not be so far fetched to say that there will be plenty of money in the pool to cover any incidents.
I personally like CreditKarma.com
But it's my choice as a consumer. Do you make all of your choices with only cost as the factor? Probably not. Or at least not when it comes to security. So, people will have their preferences. But apparently not, if you're party to this settlement.
Equifax had a lot of say in how this settlement played out. My guess is their legal team is trying to reduce the number of cash claimants so they don't get the bad press when $.02 checks get mailed out--or there's some other benefit in adding more steps to this silly process. Their legal team is representing their interests. Drawing attention reduces the likelihood this happens in future settlements. Focusing it on Equifax makes the story way more clear.
Saying "Equifax Data Breach Settlement Administrator" (taken from equifaxbreachsettlement.com) instead of "Equifax settlement team" (used in the article) doesn't seem appreciably different.
I agree those two aren't appreciably different. They are both bad if the writer doesn't make it clear that the team (no matter the name) isn't in the employ or under the influence of equifax in any way.
I'm glad to see them citing sources properly. I can understand your concern they're not emphasizing the right party, but I don't think that would really help. Most people think class-action settlements are a joke, which means they don't have faith in the legal system. If Equifax feels like their reputation is damaged after fulfilling their legal obligations, they're free to do more.
The Equifax Data Breach Settlement Administrator is not an intermediary of Equifax. It's a court appointed representative of the plaintiffs.
Someone chose this representation that's creating additional hoops.
Indeed, and that someone is the plaintiffs. Not the defendants.
That seems unlikely. Perhaps they're hoping that some of their new credit monitoring customers will like it so much that they'll pay for the service after the term expires?
Their head of security, Susan Mauldin, had zero security or computer skills - she was a music teacher.
Anyway, the last line of the article sums it up well: "Everything about this fiasco just gets more and more surreal."
There's a sense in which they have control of entire industry sectors, some higher learning or extended experience should really be required.
To an extent, yes, but much more so now than in the past few decades. In the past, those who were senior exectives responsible for technical aspects of the company would usually be very strong technically, having worked their way up from more junior positions and gaining management training along the way.
The question is what was her experience prior to being promoted? I have not kept track of this "scandal" since it started, but someone's education should not be a major factor.
All that said, she was pretty bad at her job.
I agree this is the real question. If someone doesn't have a related degree, but has the experience, that's one thing, however I've seen a handful of examples where someone with both and unrelated degree and barely, if any, relevant experience get high up technical positions (I assume mostly because of knowing the right people in a company where tech is a cost center)
On the other hand, this settlement shouldn't have been capped at such a ridiculously low amount.
No, it's not. If you collect personal information of almost 150 million people, you have to take measures to protect that data.
If you fail to do that, you can't just say "oops, I didn't mean that"...
It’s not “some employee”. It’s an entire management hierarchy that failed to prioritise and budget for and create a culture around security best practices.
If this was the US Airforce who lost an armed nuclear ICBM the commanding officer who was ok with this ”whoopsie” would have to explain him or herself to quite a few officials.
I disagree. I think it means they owe a hundred million people (a) an offer to opt-in to their service and (b) a share of their profits for doing so.
...and leaking information about every working age adult in the US.
And having a music major as chief security officer.
And having sensitive data stored as plaintext.
Their entire business is about managing information. They failed to do the only thing they are supposed to do.
It seems technically possible: Class action settlement reached, somehow a huge portion of the impacted class opts out of the settlement (extremely unlikely, but possible). Opted out class members somehow organize a subsequent action.
Is the above possible? By opting out, you explicitly keep your own individual right to bring action against the defendant, but does it bar class action participation? There's a moral hazard argument that allowing this would create a perverse incentive on the part of the class legal representation to encourage class members to opt out of the settlement and organize subsequent actions.
My recollection is that, usually, only a small number of people actively sign up to the class during the lawsuit & settlement negotiation phase, and the named class is guaranteed a substantially higher payout. The settlement is worded as up to $X for the rest of the class, who can choose to accept the fact that the amount is not a guarantee or decline and keep their ability to bring a subsequent action (hence my original question of "Can you bring subsequent class action suits comprised of different subsets of the same impacted class?").
So basically, the people who actively signed up are getting a guarantee of an amount they negotiated, the rest of us are stuck deciding how valuable "up to" $125 actually is.
Honestly.. send these people to jail make an example out of them.. hopefully people will think twice.
Shouldn't this breach of nearly half of all Americans' social security numbers be the nail in the coffin of pretending SSNs are a secret that can be used to verify your identity?
The FTC confirms it's legit: https://www.ftc.gov/enforcement/cases-proceedings/refunds/eq... (FAQ 4 item 2)
The article's author says Gmail filed it into the 'Promotions' folder.
Not a high bar to clear. Mint.com offers credit monitoring for free, as do a number of credit cards.
Yeah, but they have to contact people by email because they don't have anyone's physical home address.