in

There’s something REALLY shady going on with Equifax’s website

We entered fake information and were told that we had been hacked.

Late last week, the credit rating firm Equifax announced that the personal information of over 143 million US consumers had been exposed to hackers in what may very well be the largest data breach in US history. That’s roughly half the US population and the information lost includes names, Social Security numbers, birth dates, addresses and driver’s license numbers.

It’s really frightening stuff.

In the aftermath of the attack, Equifax set up a website to allow consumers to check if their personal information had been compromised in the breach. This site (equifaxsecurity2017.com) is extremely suspect, to say the least.

First off, know that the primary function of this site is to get you enrolled in a one-year free trial of Equifax’s Trusted ID services. Using these services requires forking over even more personal data to Equifax, which seems like rather a lot to ask considering the poor digital security that got us here.

And if you do enroll in their free trial, it’s on you to remember that you signed up for the service. Because in a year you can bet your bottom dollar that Equifax is going to bill you. The free year of Trusted ID isn’t some magnanimous enterprise; it isn’t even a consolatory gesture. What it is is a shameless way to get more people to pay Equifax for their services in the wake of a disaster Equifax created.

Next, the site has some really weird behavior that has made a lot of people wonder if it even does the one job it’s supposed to do in the first place.

Here’s what I mean: in order to check if your personal data was compromised, the site asks for two pieces of data: your last name and the last six digits of your Social Security number. So, I went ahead and entered some made up information (Last name: Smith, SSN: 123456), and the site returned a positive result.

That’s right, it told me that the fake personal information I entered had been compromised in the breach. I took video:

If you think about it, it’s kind of a brilliant ploy. If the site returns a false positive, that person ends up thinking they’ve been hacked even if they haven’t, and then sign up for Equifax’s services. After a year, they’re billed. The site isn’t a service for consumers, it’s an ad. Equifax is going full Wolf on Wall Street and turning a crisis into an opportunity. Why apologize and work to make things right? Instead, just do what Equifax clearly does best: profiting at the expense of their consumers.

So, while I will be taking steps to protect my credit, I won’t be trusting any more of my data to Equifax. I may very well end up suing them, however. And on that note..

You may be ineligible to sue simply by using the site

For real. It may be possible that by simply signing up for these services you are technically waiving your right to sue or join a class action lawsuit, which will almost certainly happen with a breach of this magnitude.

Security researcher and CBS editor Zack Whittaker noted on Twitter:

Equifax has since added a clause allowing users to opt-out of the arbitration provision. But, in order to do so, users must remember to manually mail information to Equifax. It’s not likely many will do so or even know that this is a possibility.

Here is the relevant section fromEquifax’s updated Terms of Service:

Right to Opt-Out of this Arbitration Provision. IF YOU DO NOT WISH TO BE BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF. Opting out of the arbitration provision will have no adverse effect on your relationship with Equifax or the delivery of Products to You by Equifax. In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). If You purchased Your Product other than on the Site, and thus this Agreement was mailed, emailed or otherwise delivered to You, then You must notify Equifax in writing within 30 days of the date that You receive this Agreement. To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration. If You have previously notified Equifax that You wish to opt-out of arbitration, You are not required to do so again. Any opt-out request postmarked after the opt-out deadline or that fails to satisfy the other requirements above will not be valid, and You must pursue your Claim in arbitration or small claims court.
Equifax Terms of Use

That is so anti-consumer it kind of boggles the mind. It’s pretty easy to see how this company is a dumpster fire. But that’s not even the end of it.

Equifax has since released statements that individuals who enroll in their Trusted ID service as a result of this hack are not waiving their rights to sue. But, the language above remains in the Terms of Use, and I’m not really sure that Equifax deserves the benefit of the doubt. They’re just too shady.

How shady? Well..

Equifax Executives Sold Stock Over A Month Before Hack Was Made Public

One salient fact that the company has revealed: Three of its top executives sold large blocks of stock days after the company discovered the breach. Equifax Chief Financial Officer John Gamble sold shares of the company’s stock worth nearly $950,000 on August 1. Joseph Loughran, Equifax’s president for U.S. information solutions, sold shares worth about $685,000 on August 1 as well. And Rodolfo Ploder, president of workforce solutions, sold stock for just more than $250,000 on August 2. Equifax told CNNMoney that the sales were just a “small percentage” of what these executives own and that they all “had no knowledge that an intrusion had occurred” when they made the sales.
CNN Tech

Right. They had no idea, of course. Sure.

I’m done with these people. I hope you are, too. Do you want to protect yourself? Don’t bother with Equifax. Instead: keep an eye on your bank accounts, issue a fraud alert, sign up for a more legitimate identity theft protection service, and if you’re really freaked out, put a freeze on your credit.

Written by Kelly Mears

Kelly Mears

Kelly is the Technical Director of Other98.

LEAVE A REPLY

A woman lies with her dying son in a hospital bed. He is hooked up to feeding and breathing tubes.

Drug company posed as cancer doctors to hook more people on its addictive painkiller

Indigenous Water Protectors build tiny houses in the path of Tar Sands pipeline