Visiting Equifax's site to see if you're a victim of the recent data breach can require you to waive lawsuit rights:
By all accounts, the Equifax data breach is, as we reported Thursday, "very possibly the worst leak of personal info ever." The incident affects possibly as many as 143 million people.
But if you want to find out if your data might have been exposed, you waive your right to sue the Atlanta-based company. We're not making this up. The company has now published a website allowing consumers to input their last six digits of their Social Security numbers to find out.
Like most websites, at the bottom of this new site is a section called "Terms of Use." There, in paragraph 4, is bolded, uppercase text of note. It tells site visitors that you agree to waive your right to sue and instead must "resolve all disputes by binding, individual arbitration."
AGREEMENT TO RESOLVE ALL DISPUTES BY BINDING INDIVIDUAL ARBITRATION. PLEASE READ THIS ENTIRE SECTION CAREFULLY BECAUSE IT AFFECTS YOUR LEGAL RIGHTS BY REQUIRING ARBITRATION OF DISPUTES (EXCEPT AS SET FORTH BELOW) AND A WAIVER OF THE ABILITY TO BRING OR PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE ACTION. ARBITRATION PROVIDES A QUICK AND COST EFFECTIVE MECHANISM FOR RESOLVING DISPUTES, BUT YOU SHOULD BE AWARE THAT IT ALSO LIMITS YOUR RIGHTS TO DISCOVERY AND APPEAL.
Related Stories
We had three Soylentils send in notice of a major breach at Equifax. The company has a web site specifically for this breach: https://www.equifaxsecurity2017.com/.
Equifax Data Breach Could Affect 143 Million Americans
Equifax, one of the big three US consumer credit reporting agencies, says that criminals exploited a web application vulnerability to gain access to "certain files":
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Is there a silver lining to this event?
Also at NYT, Ars Technica, and CNN.
Equifax's Twitter account linked to a website created by a software engineer imitating the real breach info site:
People create fake versions of big companies' websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.
Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax's page about the security breach that may have exposed 143 million Americans' personal information. Several posts from the company's Twitter account directed consumers to Mr. Sweeting's version, securityequifax2017.com. They were deleted after the mistake was publicized.
By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting's site, and he took it down. By that time, he said, it had received about 200,000 hits.
Fortunately for the people who clicked, Mr. Sweeting's website was upfront about what it was. The layout was the same as the real version, complete with an identical prompt at the top: "To enroll in complimentary identity theft protection and credit file monitoring, click here." But a headline in large text differed: "Cybersecurity Incident & Important Consumer Information Which is Totally Fake, Why Did Equifax Use A Domain That's So Easily Impersonated By Phishing Sites?"
Also at The Verge.
Previously: Equifax Data Breach Could Affect 143 Million Americans [Updated]
Are You an Equifax Breach Victim? You Could Give Up Right to Sue to Find Out
Outrage Builds after Equifax Executives Banked $2 Million Following Data Breach
Equifax CIO, CSO "Retire" in Wake of Huge Security Breach
(Score: -1, Spam) by Anonymous Coward on Saturday September 09 2017, @06:51PM
Bitch please, yeah we still Dick Niggers.
You know we never fuck no old pussy.
We fuck a whole lotta young pussy.
Dick Niggers gonna breach yo snatch wit this big nigger dick right tween yo folds.
(Score: 1, Interesting) by Anonymous Coward on Saturday September 09 2017, @06:57PM (2 children)
Somehow I doubt that part of the "agreement" is enforceable. This is a piece of information they are obligated to provide, I believe, and if so, attaching strings to provide the info seems strange. They like to put all sort of things into these agreements and they fully know that some (or many) of them would not stand up in court. It's not an accident that they always include "some parts of this agreement may not be legal in your jurisdiction, but that does not affect the rest" (or something similar).
(Score: 2) by JoeMerchant on Saturday September 09 2017, @08:02PM (1 child)
Legal advice from AC on the internet. You get what you pay for.
🌻🌻 [google.com]
(Score: 1, Touché) by Anonymous Coward on Saturday September 09 2017, @08:21PM
Free opinion from some named asshole on the internet who feels his giant ego is important enough to register an account.
(Score: 1, Interesting) by Anonymous Coward on Saturday September 09 2017, @06:58PM (1 child)
From the posted Terms of Use:
"TrustedID, Inc. ("TrustedID," "we," "us," "our"), an Equifax company, provides its products to you ("You," "Your") through various websites (including www.TrustedID.com) and its related applications and products (collectively, the "Product(s)" which term includes any new features, products and applications offered by us from time to time), subject to the following Terms of Use (as amended from time to time, the "Agreement").
YOU MUST ACCEPT THIS AGREEMENT BEFORE YOU WILL BE PERMITTED TO REGISTER FOR, USE OR PURCHASE ANY PRODUCT. BY REGISTERING ON THIS WEBSITE AND SUBMITTING YOUR ORDER, YOU ARE ACKNOWLEDGING ELECTRONIC RECEIPT OF, AND YOUR AGREEMENT TO BE BOUND BY, THIS AGREEMENT. YOU ALSO AGREE TO BE BOUND BY THIS AGREEMENT BY USING OR PAYING FOR OUR PRODUCTS OR TAKING OTHER ACTIONS THAT INDICATE ACCEPTANCE OF THIS AGREEMENT"
The terms only appear to apply if you continue with the silly TrustedID signup.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @08:54PM
Which what your check is doing.
Just like spam do not click on any links.
(Score: 1, Interesting) by Anonymous Coward on Saturday September 09 2017, @07:01PM (6 children)
This was confirmed by equifax and an AG not to be true. You won't waive your rights just by checking.
(Score: 2) by Virindi on Saturday September 09 2017, @07:06PM (3 children)
Link?
And note that even if their PR department did say that, it isn't relevant. All that matters is the wording of the agreement itself. Nearly every written contract specifies that it constitutes the entire contract.
If they really wished to resolve the issue they should add a clarification to the terms document.
(Score: 5, Informative) by Marand on Saturday September 09 2017, @11:51PM (2 children)
Link [equifaxsecurity2017.com]
It's right there on the front page of the site you're supposed to go through to do the check; the one that was linked in the previous SN story on the breach. It's been there about a day, now, likely added because of the belief that checking waives your rights.
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @09:38AM
I tried wget:
Resolving www.equifaxsecurity2017.com (www.equifaxsecurity2017.com)... 104.20.65.37
Connecting to www.equifaxsecurity2017.com (www.equifaxsecurity2017.com)|104.20.65.37|:443... connected.
ERROR: The certificate of ‘www.equifaxsecurity2017.com’ is not trusted.
ERROR: The certificate of ‘www.equifaxsecurity2017.com’ hasn't got a known issuer.
ERROR: The certificate of ‘www.equifaxsecurity2017.com’ was signed using an insecure algorithm.
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @10:38PM
> It's right there on the front page of the site you're supposed to go through to do the check; the one that was linked in the previous SN story on the breach.
Right there on their Wordpress site, you mean.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @11:33PM
Although they have it there hoping people will assume their rights will be given up just by checking and as a result refuse to either check (win for the incompetent company that failed to protect it's users properly) or will give up those rights willingly (thinking they've already lost them) and put themselves at the mercy of the arbitration. (win for the incompetent company that failed to protect it's users properly).
Gee, wonder why they made sure it was added to the website.
(Score: 5, Informative) by krishnoid on Sunday September 10 2017, @01:01AM
My that-other-site post:
Nope [snopes.com]. New York's attorney general demanded they clarify the wording [twitter.com] on this.
(Score: 3, Insightful) by Virindi on Saturday September 09 2017, @07:03PM (2 children)
Probably not intentional, if it is even worded in such a way that would remove your right. This is the kind of "terms" that you find on every big co. website these days. Arbitration clauses are just popular because of the way the law on them works.
More likely, it is just a standard form document meant to apply to disputes arising from the use of the site rather than prior events.
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @01:17AM (1 child)
I'd say it was intentional, because its a standard document meant to apply to disputes.
Forced arbitration is a dick move no matter what, and it's an especially dick move to use the template without even recognizing what is in it.
It is worse when the vendor doesn't even know what the hell their legalese actually means, and then they expect people to comply to it?
I agree with you that the *intent* was not to intentionally enforce one into arbitration and giving up one's rights to sue in the event you checked to see if you suddenly had reason to sue, but it seems like their apparatus as a company has not put a lot of thought into various problems they have. I am not offended someone else called them to ask on this; I am hoping you understand why it seems odd you are defending them.
(Score: 0) by Anonymous Coward on Monday September 11 2017, @04:06AM
Indeed, but until we stop having two corporatist parties that keep appointing incompetent jurists to court positions, that's not likely to change. It's astonishing to me that companies can force people to sign away their constitutional right to a trial when they need a service.
(Score: 2, Interesting) by Anonymous Coward on Saturday September 09 2017, @07:14PM (6 children)
Equifax's market cap is $17.5 billion dollars. If the company were completely liquidated to pay damages to all inured parties (143 million of them), then every plaintiff would receive about $100. But that doesn't include all of the legal fees, the effect of such a suit on Equifax's stock price, etc. It's not like Equifax is worth $17.5B because it has that much cash sitting in a vault somewhere.
The victims are basically screwed.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @07:25PM
Include every financial institution (Visa, MC, AMEX, banks) that used their services to access your account without your permission and there's plenty of cash.
(Score: 2) by VLM on Saturday September 09 2017, @08:56PM (2 children)
I suspect the long term effect of half the country being doxxed is their data will no longer be considered private identification.
You have to admit, its kinda stupid in 2017 for anyone on the planet to be able to take out a loan in your name with no more than a fake ID (which all college kids have) yer ma's maiden name (hello social media) and literally 9 digits (which are essentially public for most people from zillions of past breaches and now this one)
I would guess that after the financial system resets from the above, the main problem is going to be targeted social engineering attacks. We've gotten pretty used to phone calls asking for your credit card number from "your credit card company" etc, and now you're going to get targeted attacks with phone calls asking for your CC number claiming to be from Citibank or wtf.
The first 10K people to have their identity info made public are screwed. The first 140M, eh, not so much.
(Score: 2) by Dr Spin on Saturday September 09 2017, @10:03PM (1 child)
You have to admit, its kinda stupid in 2017 for anyone on the planet even permits the credit rating agencies to exist.
Surely the whole purpose of data protection laws is to prevent the existence of scumbags like this.
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by VLM on Sunday September 10 2017, @07:28PM
You end up with an interesting slippery slope, where "title clearing services" are kinda like CRAs for pieces of real estate "How bogus is this certificate of title for the brooklyn bridge?" vs "How bogus is this claim of $200K/yr income on this NINJA subprime mortgage application?" Another interesting slippery slope is the dying and failing SSL certificate racket.
(Score: 2) by Justin Case on Sunday September 10 2017, @03:42PM (1 child)
Agreed. But the outcome we want is a judgment of $1000+ in favor of each victim. As your math shows, that would utterly wipe Equifux off the map, together with each and every employee, and the entire investment of every stockholder.
That is what it will take to fix the hurricane of computer insecurity amid which we are all forced to live. The CxO level would realize that just perhaps their own interests are at stake, not just the ants they consider the rest of us to be. Every employee of other data-handling enterprises would see that maybe those "stupid security rules" are there to protect their own income stream. Investors would start looking for security audits by independent third parties.
In short, the nuclear option for Equifux is about the only good that could come of this event.
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @05:55PM
Don't worry. It won't happen.
I'll be surprised to even see a headline about even tens of millions of damages. Their PR department, the media, knows they can throw huge-sounding numbers like "millions" up there, and the innumerate cows will believe that justice was done.
(Score: 1, Insightful) by Anonymous Coward on Saturday September 09 2017, @08:14PM (3 children)
No money paid to Equifux -> no consideration -> no contract -> no terms.
(Score: 2) by Gaaark on Saturday September 09 2017, @08:52PM (2 children)
Yeah, if I was one of their customers, I'd be phoning them and saying wtf and that I'm no longer their customer, and that when I find out I AM one of the breach victims, I WILL be part of the lawsuit.
This should not even be allowed by U.S. AG.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @11:43PM (1 child)
This should not even be allowed by U.S. AG.
Unfortunately we have no consumer protection under this administration. All that is gone now. The constitution has been replaced by an EULA that changes by the hour. You're better off playing the lottery. Pray there is no dispute when you try to collect your winnings.
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @05:10AM
> Unfortunately we have no consumer protection under this administration.
It is certainly looking that way relative to the current federal gov't. I live in NY State where there are plenty of consumer protections. Yes, I pay more in state taxes, but this is another case where you get what you pay for (at least to some extent).
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @09:33PM (1 child)
When I go to their site, I get
Your connection is not secure
The owner of www.equifaxsecurity2017.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
(Score: 2) by Scrutinizer on Sunday September 10 2017, @02:15PM
Firefox refuses to properly use self-signed certificates for HTTPS, even though those are the second most secure type (the arguable best being HTTP Public Key Pinning in conjunction with HTTP Strict Transport Security). Traditional HTTPS certificates issued by a Certificate Authority and trusted by default are utterly broken and completely insecure due to compromised CAs in addition to the USA's National Security Letters [rt.com]; at best they can keep the nobodies across the street or script-kiddies from decoding your traffic, but do nothing to stop the serious bad actors.
Mozilla has announced plans to forcibly tie Firefox to this useless deadweight of the CA-HTTPS system by "depreciating" non-secure HTTP [mozilla.org], in effect declaring that Firefox will cease to become a functional web browser.
If you like what Firefox was and you're still using Windows for some reason, I cannot recommend Pale Moon [palemoon.org] highly enough. Grab it quick from that "non-secure HTTP" site before Firefox forcibly stops you from going there. (Feel free to use the provided cryptographic keys and signatures to verify PM's file integrity, though!)
(Score: 2, Insightful) by Anonymous Coward on Saturday September 09 2017, @09:46PM
Equifax will issue multiple public mea culpi vowing to harden their security, which they won't.
Lawsuits will be filed amid much bloviation, and armies of lawyers will eventually agree to a "settlement" that pays all the lawyers and nobody else.
Media and politicians will cluck, squawk, and flap their wings for a few days, till the next Russia or Melania fashion story breaks.
There will be some heartbreaking victims, who will receive nothing but lip-service from the media and nothing at all from Equifax.
And we'll be right back where we started. You can bet on it.
(Score: 4, Informative) by Chromium_One on Saturday September 09 2017, @11:18PM
If you check if you're affected by the Equifax breach by using their site ... No, you aren't signing away your right to sue.
The NY AG had something to say about that language, and Equifax backed off.
http://thehill.com/policy/technology/349826-users-checking-to-see-if-they-were-affected-by-the-equifax-hack-might-be [thehill.com]
Also from snopes, I do believe they were a bit late to the party,
http://www.snopes.com/equifax-credit-monitoring-class-action/ [snopes.com]
Yeah this is something certain companies would try, but just because you're told you're waiving rights for whatever reason doesn't automatically make it true either.
When you live in a sick society, everything you do is wrong.
(Score: 0) by Anonymous Coward on Saturday September 09 2017, @11:26PM
On a page about its Insight score, Equifax says [equifax.com] it has "data on more than 187 million unique consumers, 27 million of which have no consumer credit file." By subtraction, 160 million have a consumer credit file. I wouldn't assume Equifax has files on all 160 million—there are other credit reporting agencies—but I would assume that it offers the Insight score of everyone for which it has a credit report. With those assumptions, I conclude that Equifax maintains no more than 160 million credit reports. It acknowledged that data on 143 million people was stolen. With my assumptions, that's at least 89% of the records it keeps. If they had a record about you, chances are excellent that it was stolen. I'm tempted to suspect that all of Equifax's credit reports were stolen, but I can't support that.
(Score: 2, Informative) by Anonymous Coward on Saturday September 09 2017, @11:30PM (2 children)
The people at Snopes rated [snopes.com] the statement "If you sign up for Equifax's credit-monitoring service, you cannot join any class-action lawsuit against the company." They say it's a mixture of true and false.
(Score: 2, Touché) by Anonymous Coward on Sunday September 10 2017, @12:06AM (1 child)
Yeah, it's true that Snopes is false. They suck.
(Score: 1, Touché) by Anonymous Coward on Sunday September 10 2017, @10:19PM
What, exactly, that they said is false?
(Score: 3, Insightful) by Anonymous Coward on Sunday September 10 2017, @12:22AM (2 children)
hahaha, what a funny country. People can just be tricked into signing their rights to the legal system away and it's somehow legal. Joke country.
(Score: 1, Offtopic) by Anonymous Coward on Sunday September 10 2017, @01:52AM (1 child)
Some fucktard moderates this as troll because what he said was true. no worries, i upmodded. Truth is.
(Score: 5, Interesting) by Mykl on Sunday September 10 2017, @09:56AM
Agree. I don't know who keeps downvoting this particular thread, but it's absolutely true. The fact that a business can throw a single clause into a contract to completely prevent anyone from any legal recourse is horrific. The fact that this state of affairs still remains shows just how much congress’ votes have been bought and paid for.
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @08:49AM (1 child)
Someone said that he entered "Test" and "123456" on Equifax's checker and was told that he'd been compromised. https://mobile.twitter.com/zackwhittaker/status/906247688768905216/video/1 [twitter.com]
(Score: 0) by Anonymous Coward on Sunday September 10 2017, @05:19PM
And now probably about 147 people can't sue them. Only 99999 checks more and they will get away unscratched. Why they decided to use 6 digits of serf number instead of 1? It would go much faster that way.
(Score: 2) by realDonaldTrump on Monday September 11 2017, @05:00AM
If you sign up for the TrustedID you have 30 days to opt out of the arbitration. You'd better write to them by certified mail, with the green slip. Be smart, don't be a LOSER! 🇺🇸