How Equifax failed miserably at handling its data breach

A data breach, as conventional wisdom goes, can happen to anyone, but how an organization handles the fallout is what shows us if they care about users at all – and Equifax is failing spectacularly at it.

Equifax failed miserably

One failure after another

Following the Thursday announcement that it has suffered a data breach that has resulted in the compromise of sensitive information (including SSNs) of some 143 million US individuals, Equifax has set up a site through which people can check whether they have been affected.

Unfortunately for them, they can’t really trust the result of the check – the site will seemingly randomly provide either a confirmation or a denial of whether they’ve been impacted.

It seems logical to assume, then, that Equifax doesn’t know which individuals have been affected.

Still, they want everybody to sign up for their credit file monitoring and identity theft protection with TrustedID Premier, a credit monitoring service that is also operated by Equifax.

As TechCrunch’s Sarah Buhr noted, “It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.”

But signing up for the service could create additional problems for users/customers.

For one, the TrustID’s Terms of Service initially said those who sign up for the product forfeit their right to join a class action suit against Equifax tied to this breach. After this fact was pointed out publicly by many, Equifax added a note to the FAQ for the TrustedID Premier program saying that “enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action.”

Also, if you use the service to put a freeze on your credit files, you’ll receive a PIN that you can use at a later date to unfreeze them. The PIN (a sequence of ten digits) is assigned by Equifax, but is not chosen at random – it consists of the date and time at which you performed your freeze. This, unfortunately, makes it much easier for cyber crooks to brute force or guess.

What now?

If you’ve already signed up for the TrustID, and you want to make extra sure you retain the option to sue Equifax at a later date, you can opt out of the arbitration clause by sending a statement to the company by snail mail. The statement must include your name, address, and Equifax user ID, as well as a “clear statement that you do not wish to resolve disputes with Equifax through arbitration.” If you don’t known how to write it, this site can help.

Also, if you’ve signed up for the service, be aware that you’ll get only one year for free, and if you don’t cancel it when that year ends, Equifax will continue to provide it – and bill you for it, of course.

Patrick McKenzie has written a guide for individuals dealing with personal fallout from the breach, to help them decide what they should do to protect themselves and their credit. As the possibility of the stolen information ending up for sale on dark web markets seems very high, they might use this knowledge before long.

Finally, be aware that phishers and scammers are sure to take advantage of this breach, so be careful when assessing communications that seem to be coming from Experian or, in general, make reference to the breach.