This week, Equifax agreed to pay up to $700 million in fines and compensation for its massive 2017 data breach, with $425 million going directly to those impacted by the breach.
The Equifax hack of 2017 was one of the most severe and alarming data breaches in history. 147.9 million identities were compromised in the breach, putting nearly half the American population at increased risk of identity theft overnight.
The hack caught the world’s attention and alerted us all to the vulnerability of our personal information and the true danger posed by years of unchecked data collection, most of which happens without our consent.
If you were affected by the breach, and chances are you were, you can now claim between $125 and $20,000 in cash compensation. Find out if you are eligible and how you can file a claim today.
Was I affected by the Equifax hack and am I eligible for benefits?
Since the Equifax hack exposed the personal information of more than 147 million Americans, if you live in the US you were more than likely impacted by the breach.
All of the 147.9 million Americans who were affected by the breach are eligible for benefits.
If you are a US resident, you can quickly check online to see if your information was impacted or find out by calling 866-447-7559. If you were impacted, you can file a claim.
How do I file a claim and how much money will I get?
If your were impacted by the breach you can file a claim for benefits ranging from free credit monitoring to up to $20,000 in cash payments for damages from identity fraud stemming from the incident. Here are the benefits you can file a claim for as of July 24, 2019:
10 Years of Free Credit Monitoring OR a $125 Cash Payment
- 4 years of free credit monitoring from all three credit bureaus (Equifax, TransUnion, and Experian), up to 6 years of additional free credit monitoring from Equifax, and $1 million in identity theft insurance OR
- $125 cash credit in the form of a check or pre-paid card if you currently have credit monitoring (you do not have to provide any documentation for cash credit)
Up to $20,000 in Cash Payments
- For any expenses or losses you incurred as a result of the breach, such as fees paid to an accountant or attorney or unauthorized credit card charges AND
- Time spent dealing with identity theft, fraud, or misuse of your personal information, or time spent on protecting yourself from fraud, such as freezing or unfreezing your credit or setting up credit monitoring services, for up to 20 hours at $25 an hour AND
- Up to 25% of the cost you paid for Equifax or any other identity monitoring service in the year leading up to the breach
- If you file a claim for 10 hours or less, you must describe the actions you took and the time spent on those actions
- If you file a claim for more than 10 hours, you must describe the actions you took AND provide documentation to back up the claim
So how do you file a claim? Easy, just click below and fill out the form.
Deadline for Filing a Claim: January 22, 2020
Arrival of Benefits: Benefits will be sent out January 23, 2020 at the earliest
Delivery of Benefits: If you file a claim for free credit monitoring you will receive an email with an activation code and instructions either by email or mail. If you file a claim for cash payments you will receive either a check or pre-paid card by mail.
Along with benefits that must be claimed, Equifax will also provide the following additional services regardless of if you have filed a claim by the deadline:
7 Years of Free Identity Restoration Services
Victims are eligible for at least seven years of identity restoration services for dealing with the effects of identity theft, fraud, or misuse of personal data.
6 Free Credit Reports Per Year for All US Consumers
Starting in 2020, all US consumers can get up to 6 free credit reports from Equifax for up to 7 years, in addition to the 1 per year US consumers currently get from each of the three credit bureaus.
The Equifax settlement finally helps bring some relief to the millions of Americans impacted by the breach, providing victims with free tools to guard against identity theft and monetary compensation for their losses. However, it is important to understand how exactly the Equifax hack happened in the first place and the steps you can take to help protect your data and identity moving forward.
Below, we take an in-depth look back at the world’s most severe data breach, how it happened, and what you can do to protect yourself.
What was the Equifax hack?
On September 7, 2017, Equifax announced that the extremely sensitive personal information of 143 million Americans had been stolen in a massive data breach that lasted from mid-May all the way through July. The stolen information included:
- Social Security numbers
- Birth dates
- Home addresses
- Driver's license information
- Credit card numbers
- Dispute documents
Equifax initially learned of the hack on July 29, 2017, and, according to the company, it “acted immediately to stop the intrusion and conduct a forensic review.” In October of 2017, following the forensic review, Equifax announced that it had identified an additional 2.5 million consumers who were impacted by the breach. Then, in March of 2018, the company again disclosed that an additional 2.4 million consumers had their partial driver’s license information stolen, bringing the total number affected to 147.9 million. Equifax also “identified unauthorized access to limited personal information for certain UK and Canadian residents.” It was later disclosed that the breach impacted approximately 19,000 Canadians and 693,000 UK residents.
Of those impacted, 209,000 consumers’ credit card numbers and 182,000 consumers’ dispute documents were stolen in the hack. According to the company, forensics experts determined that the hackers were primarily focused on stealing Social Security numbers, a goal that the attackers were extremely successful at accomplishing. To this day, security experts have yet to find the stolen Equifax data for sale on the dark web or anywhere else online, pointing to the likelihood that the perpetrators have been using the data to their own nefarious ends.
In the wake of the hack, Equifax setup a dedicated website (equifaxsecurity2017.com) to help consumers determine if they were affected, an immediate unforced error that brought with it dozens of scam sites with similar URLs setup to take advantage of the confusion and concern that ensued in the days following the announcement.
What made the Equifax hack so egregious was the number of Social Security numbers the hackers were able to abscond with. Your Social Security number is the key to your identity. When exposed, it potentially opens you up to all kinds of malicious schemes, many of which can negatively impact your financial well-being for years to come. Once SSNs are in the hands of identity thieves, it can quickly lead to stolen tax refunds, fake bank or utility accounts, or even fraudulent mortgages.
Everything a fraudster needs to authenticate themselves for most loans was stolen in the Equifax hack: SSNs, birth dates, driver’s license numbers, and home addresses. The second Equifax was breached the well-being of half the American population was put at risk. Accurate and secure credit information is vital to consumers looking to access loans, get a job, buy a home, or rent an apartment. Equifax put the credibility of that data into doubt overnight.
How did it happen?
On May 13, 2017, hackers were able to exploit vulnerabilities in Equifax’s dispute portal, gaining access to 51 Equifax servers that held the personal information of consumers.
Once in, hackers had access to Equifax’s servers for 76 days, slowly siphoning off data up until Equifax became aware of the intrusion on July 29. To make matters worse, the hack required minimal programming knowledge and took advantage of a security exploit that the company knew about for months.
Experts and analysts still don’t know who was responsible for the hack or how the data has been used, but what we do know is that the hack was so simple that nearly anyone could have pulled it off. It didn’t require a zero-day exploit or even a phishing attack. Here is just how easy it was.
Most hacks start by gaining access to one computer through either a security vulnerability or social engineering. From there, the attacker elevates their access and compromises other accounts or resources on the network (email, internal file servers, etc).
One of the worst vulnerabilities an application can have is called “Remote Code Execution”. An application with a remote code execution vulnerability will let an attacker run anything they want on the application’s server. If the application is online, an attacker can tell it to run a program that lets them connect to the machine and operate it like it’s their own.
Equifax has officially acknowledged that the attack was performed using a remote code execution vulnerability in a widely used Java framework, Apache Struts CVE-2017-5638, that was first reported in March of 2017. Even though Equifax more than likely knew about the vulnerability considering that as of March 9 there were tutorials on YouTube explaining how to hack a server using the vulnerability, and a patch for it was released on March 6, it did nothing to address the issue.
The script to run the Equifax attack was public, open for the world to see, and could have been executed in as little as half an hour. In essence, all it would have taken to hack Equifax was for an attacker to follow a step-by-step tutorial showing how to exploit the Apache Struts vulnerability in order to get access to the Equifax server. This security flaw, along with Equifax’s failure to properly address it and adequately encrypt personal information on its servers, is what provided the opening hackers exploited two months later on May 13.
Had Equifax devoted an adequate amount of resources to data security, and followed even the most basic of security practices, the hack could have easily been avoided. While it is unclear exactly what steps Equifax has taken to prevent a breach like this from happening again, the company says on it’s website, “We have taken numerous steps to review and enhance our cybersecurity practices, and we continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.” Only time will tell whether those security improvements are sufficient or not.
What steps can I take to protect myself from identity theft?
In the wake of the Equifax breach it is more important than ever to take proactive steps toward safeguarding your data and protecting your identity online. Here are some steps you can take to help guard against identity theft that could result from the Equifax hack:
- Monitor your credit for fraudulent activity using a free credit monitoring service or by claiming free credit monitoring from the Equifax settlement, if you notice activity on your credit report that may be fraudulent you can request that a fraud alert be placed on your credit file with one of the three credit bureaus
- Create and build a cryptographically secure identity with BloomID to securely share data and help minimize your chance of your personal information being involved a data breach
- Monitor data breaches for free with Bloom Radar and receive alerts when your information is found in a data breach
- Monitor your credit card and bank account statements for suspicious activity and immediately report any fraudulent activity to your financial institutions
- Be on the lookout for tax fraud, if you know or suspect you have been a victim of tax-related fraud make sure to fill out an affidavit with the IRS and file your taxes as early in the tax season as possible
- If you suspect your driver’s license has been exposed, contact your local DMV to see if you can have an alert put on your license number
While the Equifax breach may have put you at increased risk of identity fraud, it is just one of thousands of breaches in recent years. Want to make sure your cyber hygiene is squeaky clean? Here are some additional steps you can take to protect you data and identity:
- Learn more about data breaches with our Ultimate Guide to Data Breaches so that you are better equipped to understand what information is being exposed and how it is being compromised so that you can begin to take proactive steps to protect your data and identity.
- Freeze Your Credit: One of the most effective ways of reducing your risk of identity fraud is to freeze your credit. Freezing your credit helps prevent fraudsters from opening up new financial accounts or lines of credit in your name.
- Setup a Password Manager: Password managers make it easy to generate strong, unique passwords for every account you have online and helps prevent one account compromise from affecting dozens of other accounts.
- Enable Two-Factor Authentication: 2FA provides an extra layer of security and helps make sure that the person who is trying to get access to an account is who they say they are. Two-factor authentication makes it much harder for hackers and identity thieves to get unauthorized access to your accounts.
- Minimize Data Sharing: Try to minimize the amount of data you share as much as possible. Don’t share personal information just because someone asks for it, ask why the information is needed and how it will be protected. Avoid sending plain text data or passwords by email or text, and transmit information securely whenever possible.
For more tips check out our full guide on how to protect your identity.
Bloom: Take Back Control of Your Data
At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.
It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!