In the wake of a data breach that put the personal data belonging to millions of Americans into the hands of hackers, lawyers in Portland, Oregon have filed a class action lawsuit against the credit reporting company Equifax—but learning whether you were part of one of the largest hacks in history, and what to do next, is anything but straightforward.
Bloomberg reports that the suit, filed in federal court Thursday night, alleges that "Equifax negligently failed to maintain adequate technological safeguards to protect [the plaintiffs'] information from unauthorized access by hackers." The complaint continues, "Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach."
The suit also makes note of the fact that Equifax discovered the breach on July 29th, but didn't alert those affected until earlier this week. Within four days of the hack, however, a number of high-up Equifax executives, including Equifax Chief Financial Officer John Gamble; President for U.S. information solutions Joseph Loughran; and President of workforce solutions Rodolfo Ploder sold shares at high prices.
Whether or not customers were properly notified of the breach by Equifax is the target of an investigation by Attorney General Eric Schneiderman, who estimated Friday that as many 8 million New Yorkers may have been put at risk. He encouraged everyone to call Equifax and see if their information had been compromised, and added that his "office intends to get to the bottom of how and why this massive hack occurred."
Calling Equifax has yielded mixed results, and it remains somewhat unclear how to best tell whether you were one of the millions put at risk by the company. On Saturday, the AG urged concerned New Yorkers to check a new website set up by Equifax—www.equifaxsecurity2017.com—to see if their information had been comprised. That suggestion was widely panned on Twitter, with many users saying they were either unable to access the form or hesitant to share more personal information with the company.
Right. This just happened to me, too. They want me to apply in writing + copies of SS card, drivers license etc. WTF?
— Catherine Wood (@thewalkinglady) September 9, 2017
Your first recommendation is 💩. NFW I enter any more PII data into a site managed by this disaster of a company
— mike d. kail (@mdkail) September 10, 2017
In addition to recommending the Equifax site, Schneiderman also offered other consumer recommendations, including checking your credit reports and monitoring existing bank accounts closely for unauthorized charges. He also suggested that New Yorkers might "consider placing a credit freeze on your files." (The Washington Post has a good explainer on what this entails.)
But if you do decide to trust Equifax's janky hack discovery website, you will be asked to enter the last 6 digits of your social security number, in order to enroll in TrustedID Premier, a "complimentary identity theft protection and credit file monitoring product." Despite Schneiderman's endorsement, expert opinion on whether this is a good or bad idea. (Fool me once, etc).
As of Sunday morning, the site seemed to be working in a way that you could find out if you were hacked, without fully enrolling in the Trusted ID program. Here's what that news, delivered in a very gracious way, looks like:
Of course, you could also skip all of that, and follow the advice of CNET's editor: "We recommend that anyone with a credit history assume they were affected by the hack, as Equifax's hack-checker tool proved unreliable in our tests."