Equifax Data Breach: Why you shouldn’t take the cash

This post may contain affiliate links which may compensate us based on your interaction. Please read the disclosures for more information.

On
July 22, 2019, Equifax Inc. agreed to pay $575 million as part of its
settlement with the Federal Trade Commission (“FTC”), the Consumer
Financial Protection Bureau (“CFPB”), and all 50 U.S. states and
territories concerning its 2017 data breach.

The
proposed settlement includes a $300 million payment to a Consumer fund that
will provide protection and compensation to 147 million affected consumers. The
settlement also includes a provision that if Equifax’s initial $300 million
payment is insufficient, then an additional amount of up to $125 million will
be contributed.  Therefore, Equifax could
pay $700 million dollars: up to $425 million to the Consumer Fund; $175 million
to the states, the District of Columbia and Puerto Rico; and $100 million to
the CFPB related to civil penalties.

What
happened?

On September 7, 2017, Equifax disclosed
that a massive data breach exposed the sensitive personal information of 147
million consumers  (“Breach”).
A vulnerable version of Apache Struts,
“open-source, MVC
framework for creating elegant, modern Java web applications,” used in Equifax’s
Dispute Portal opened their system to hackers the Breach. Although Equifax
received notification of the Apache Struts vulnerability in March of 2017, it
failed to address the problem adequately. 

In the summer of 2017, the Equifax identified
suspicious traffic on the Dispute Portal. It blocked the traffic but after noticing
additional suspicious traffic the portal was ultimately taken offline.  

Equifax hired a forensic
consultant to determine the extent of the security issue. Between May 2017 and
July 2017, multiple hackers gained access to Equifax’s network through the
vulnerability in the Dispute Portal. Once inside, the hackers searched dozens
of Equifax’s databases which contained consumer’s personal information well
beyond what was just contained in the Portal. Hackers also accessed unsecured
files which contained administrative credentials enabling further access to Equifax’s
network. By August 11, 2017, it was clear that the Breach exposed a large
amount of sensitive consumer personal information.

How
much was sensitive consumer information was exposed?

The forensic
consultant revealed that the compromised files included approximately 147
million names and dates of birth, 145.5 million social security numbers, 99
million addresses, 20.3 million telephone numbers, 17.6 million email
addresses, and 209,000 payment card numbers with expiration dates. Unfortunately,
and ironically, much of this data came from consumers who had purchased
products such as Equifax’s credit monitoring and identity theft prevention.

On
July 22, 2019, the
FTC brought an action to obtain permanent injunctive relief, restitution, and
other relief against Equifax under the Federal Trade Commission Act, the
Safeguards Rule, Gramm-Leach-Bliley Act alleging that

Equifax
failed to take simple steps that could have prevented the Breach.  The proposed settlement
between the parties includes four years of credit and identity monitoring for affected
consumers from Equifax, Experian, and TransUnion in addition to $1,000,000 in
identity theft insurance and Identity Restoration Services.

However,
those affected also have the option of an alternative Reimbursement
Compensation of up to One Hundred Twenty-Five Dollars ($125),  out of pocket expenses which include credit monitoring,
costs incurred as a result of placing or removing a security freeze on a
Consumer Report with any Consumer Reporting Agency or any other misuse of
affected consumer’s information as a result of the Breach.

Were you affected?

To determine if you were affected, use the Equifax Eligibility tool which can be found here: https://eligibility.equifaxbreachsettlement.com/en/eligibility. If you were affected, you have to make a claim to receive any compensation related to the settlement.

Do you need information on how to claim the $125 plus additional expenses?

Check out Sandy Smith from Yes, I am Cheap’s Step by Step Claim process.

Don’t jump to take the cash

According
to Javelin Research, 16.7 million Americans were victims of identity fraud in 2017.  Although the FTC reported the median amount lost to fraud was
only $375, that’s three times the minimum settlement amount.

According
to the Identity Theft Resource Center’s 2018 End of Year Data Breach Report,
there were 1,244 reported breaches and 446,515,334 sensitive records with identifying
information exposed. What’s
more alarming is that although breaches were down from 2018 but the number of
confidential records exposed increased by two and a half times. It is
apparent that consumer information will continually be at risk for use.

Unless you have purchased additional credit monitoring
or have already been adversely affected and paid money out of pocket, consider
taking the four years of credit and identity monitoring mainly for the
$1,000,000 of identity theft protection. 
The four years of monitoring provides more protection than the money.
The question is not if your identity will be compromised but, when.

Even if you weren’t affected by the Breach, you can receive six free credit reports each year for seven years in addition to the free annual credit report already provided.

The post Equifax Data Breach: Why you shouldn’t take the cash appeared first on The Ivy Investor.