Hacker News new | past | comments | ask | show | jobs | submit login
Over 275 days since Equifax’s data breach settlement and no one has been paid (interest.com)
511 points by ProAm on April 30, 2020 | hide | past | favorite | 152 comments



From the settlement web site:

"The Court gave final approval to the Settlement and overruled all objections on January 13, 2020. However, some of those that objected to the Settlement have now appealed the Court’s decision to approve the Settlement. By order of the Court, the Settlement cannot become final until all appeals are resolved and there is currently no timeline for the resolution of these appeals. When the appellate court enters a schedule for the appeal, we will update this website to provide individuals with more guidance as to the timing of a decision. Please check back for further updates."


iirc, other than writing the Court a letter, this was the other major way to indicate your displeasure towards the settlement


Come on now that is not quite true. Some politicians got paid to make this thing go away with a legislation.


No idea why but I always feel any company dealing with blackbox credit rules are very fishy...wish there is a way to remove them away from the financial system.


Having lived in Argentina and The Netherlands all my adult life, I don't fully grasp why you even need those companies -- probably due to the fact that average citizens never deal with those (if they even exist here).

I do think that American culture is a lot more credit-based though, whereas in many places, people don't spend money they don't yet have (eg: I don't have a credit card, and neither do the grand majority of my friends).


EDITED: the below is wrong (as stated by a child comment). There is a diversity of systems in Europe.

OLD COMMENT: Here's the thing, as far as I know, Europe does not have those companies. So it definitely should be possible to do without them...


Your comment was correct. As far as France goes, none of the credit agencies exist.

To rent a place in France, you show your yearly tax statement to prove income and your national ID card to prove identity.

The concepts of credit check and rating simply don't exist at all, you couldn't even discuss them because it's completely alien and there ain't words for it. Imagine trying to have a discussion about trains to a medieval villager.

Living in the UK right now and the worst thing is, the UK has the exact same legal documents (driver license, passport, tax statement) that you have to provide as well. The only difference is they're forwarded to a check agency that provides no value and have no justification to exist, but to accumulate that data on everyone and resell it. I suppose the US is similar but don't know, never lived there.


That is not true. It is almost impossible to rent a flat in the larger cities of Germany without showing a positive credit record to the landlords. And requesting even small credits of a few k will have your credit rating checked and recorded that such a check happened.


You are correct, I was unaware of the German case! In fact, it seems that many European countries do have a credit score system. Some do have other systems: https://en.wikipedia.org/wiki/Credit_score#Germany

Here are some countries within Europe who do not have a credit score system:

- Belgium has no centralised credit score system. However, banks can ask the Belgian counterpart of the FED for all loans held in your name when you request a new loan. The national bank keeps a register of all loans.

- United Kingdom: There is no such thing as a universal credit score or credit rating in the UK. Each lender will assess potential borrowers on their own criteria, and these algorithms are effectively trade secrets.


As a Brit, I feel I should point out we definitely do have credit ratings. The three main ratings agencies are Experian, Equifax and TransUnion.


The Experian Credit Rating Agency actually results historically from what happened before CRAs existed.

Last century "Mail order" was an exciting new business opportunity. You send people (mostly housewives) a catalogue explaining what's on offer, and then they pick items from the catalogue and you deliver them. You can have a much broader range of products than their local stores, and the catalogue offers a good way for cautious shoppers to compare options and make a decision at their leisure.

There was a problem. The customer has no prior relationship to you, but of course they don't want to pay you for potentially very expensive goods, in advance, unseen. A local store might know exactly who the customer is, if that's a nice house or a tiny cottage, what the husband does for a living. Your mail order catalogue company has no idea.

So you began to just collect observable facts. Mrs Smith still owes you £208 from last year when she bought the dining room set, and hasn't made a payment on it since January. Mrs Jones on the other hand has paid every penny she owed, regular as clockwork. So when Mrs Smith tries to order a new frock, you remind her about the outstanding £208 by return of post - and when Mrs Jones does you send the frock immediately.

Gradually other new businesses wonder if they might take advantage of this knowledge. Mrs Jones wants to buy a car, cars are expensive but she'd make payment every month. The first dealer she visits suggests her husband should buy it. Mrs Jones doesn't have a husband, and she walks out in disgust, no sale. But the second dealer has an idea, that mail order catalogue company might know if Mrs Jones is good for the money. They agree, for a fee, and on condition that the car dealer tell them if Mrs Jones makes each future payment on her credit deal, which seems harmless enough.

And one day the catalogue company realises that 80% of its revenue is from this "Credit Reference" side business of knowing that Mrs Jones is a better risk than Mrs Smith and the catalogue sales are nice but they aren't really the same business and needn't be the same company.

If it hadn't already happened last century, today Amazon would be your Credit Reference Agency, yet another opportunity to enrich Jeff Bezos...


Really interesting background. I'd not idea this is where it all came from.

It's pretty clear that nowadays with much safer online payments, there's really no need for these credit checks any more -- you pay online, and if you get scammed there's solid proof of whom you paid and how much.


In the UK the electoral register can be purchased by advertisers, etc. You can opt out of this.

The electoral register is also given to the big credit reference agencies. This is obligatory. If you want a vote then Experian (and the rest) get your data.

Credit reference agencies most definitely operate in the UK.


Anything east from germany no credit rating companies.

Germany has unusualy strict laws about this. Its hard to rent a flat but its also hard to kick out someone out of flat.


Australia, New Zealand, Canada certainly don't.



I can't get my [knowledge-based authentication] data back. I don't want their measly $125 from them (it will cost me far more time and money when this breach is used against me). I want them to pay the cost for the government to replace the SSN as an identifier. And to pay for the government give me a new SSN in the meanwhile... and they don't get to store the new SSN in their database (because they dun messed up). I think that would be a better outcome for everyone.


There's no need for SSN at all.

Everyone is identified by their birth date, the name of their mother and their birth place. (Their own name is not that important, for example twins can pull off identity fraud easily, as they can pretend to have the name of their twin, and how would anyone know!?)

Sure, we can go full 1984 and GATTACA and use biomarkers and papers and whatever. But that just makes puts many edge cases out of scope, doesn't solve them at all.

If someone shows up at the bank and claims to be someone, they can produce documents, either via simple forgery or by stealing someone else's "identity".

They can then pass all the checks the bank runs. (Sure, if there is some database that says don't open accounts for these IDs, then the scammer can start with persuading the admins of that DB to unlock the corresponding ID.)

And this will always happen as long as we allow fallbacks for people to get access to (and create) their accounts after losing (or without creating) a strong cryptographic key (password).


> birth date, the name of their mother and their birth place

Surely not, there must be a day in which two children were born on the same day in the same hospital in New York City to two women named Jane Smith?


The kicker is they reuse the SSNs. Had a gig where I was working with the 'death master' files. (It use to be much easier to get your hands on the files - https://ladmf.ntis.gov now) and it would list every SSN number used by the dead. Lots of duplicate SSNs, some malformed data, some just missing. An interesting data set to look at, and a great reminder why folks should not be using this as an identifier.


I suspect it happens to twins a lot.


I'd wager at least 100% of the time.


If only the media cared as much about ppl’s super critical data being exposed as it cares about the privacy of my Facebook Likes.


But does the media even care about that? Or was that the point you were trying to make?


"But do the media..."

Media is a plural noun. To use it incorrectly this way gives credence to conspiratorial thinking about the press.


Shades of gr[ea]y my friend. If you think of the media as each broadcaster/publisher it might be plural, but in the conspiratorial sense of things the "media" is just the propaganda arm of "them". That makes it a singular thing. QED


Depends where you live really. Some places say "the band is performing" and treat it as a singular, others say "the band are performing" and treat it as a collection of individuals. I think the latter is more of a UK thing.


The lawyers haven't finished looting the cash. Does anyone even care about the token amount of cash they're likely to receive?


It's not about the insignificant amount of money everyone will get out of it; it's about equifax being severely punished and fined, even though that settlement won't really change anything.


Exactly. Most people didn't even get picked for payment. I don't want a shitty monitoring service I want to see Equifax bleed


> I want to see Equifax bleed

This seems vindictive. Their behaviour should be corrected and other people deterred. We shouldn't be calling for blood!


What’s wrong with a corporate death sentence in the event of such egregious mistakes? There must be a severe enough punishment in order for a company’s risk department to take things seriously.


Exactly. There's not right and wrong for companies if there's never any _real_ risk.

If people had to just pay a small fine and go on with their lives for misdeeds, we'd see people hijacking sports cars every day.


It is vindictive. When non-vindictive measures failure, the measure of last resort sadly tends to be the vindictive one. I don't know if this was part of your point (I imagine it was), but the vengeful carcerality of vindictive justice is independent from meaningful structural change that would prevent bad actors from repeating similar actions in the future. Everyone performs their role feigning outrage, repentance, regret and reconciliation, until the same thing happens all over again.

I would be surprised if that did not happen here. The collusion between credit bureaus, banks and lenders is well known for its issues to consumers, but without consequences for adverse consequences to them, business will continue as usual. Will it be savvy fraudsters who place backpressure on the crumbling ability of credit bureaus to prescreen for credit-worthiness? Will upstart incumbents see high margin, low fitness targets ripe for disruption? Will corporate raiders see ossifying remains just ripe enough to be scavenged? Even if all answers to these questions were in the affirmative, I don't know if any of that would lead to immediate change. But, I'd be surprised if business continued as usual forever. The bar for a step function level improvement is quite low, if you could somehow retrofit a better way to pull credit into legacy underwriting processes.

Source: Early stage engineer and prior executive at $PREVIOUS_FIRMS that included two growth stage consumer lending startups.


They pioneered the knowledge based authentication approach. It was never a good one. It's now utterly broken now that they leaked everyone's information.

At the very least, Equifax should be destroyed. And society would benefit more if it were destroyed in such a way to be an example for future organizations working in the space.


Don't worry, it's only metaphorical blood. Equifax is just a concept, and can't be physically hurt.


Their business model shouldn’t exist. That is precisely why we should punish them.


Do you think that Equifax provides the general public with a useful service?


I do. They allow people who are lending money or extending credit to know what kind of risk they are likely taking on. They also let you know how risky you appear to be when you ask someone for a loan or credit. This allows people to reduce their risk, and it allows people to understand and manage the risk that they present.


Each party to a transaction has a different perspective. Speaking about the benefits to one party while ignoring the harm to others is nonsensical. Comprehensive surveillance databases obviously benefit lenders, or they wouldn't pay to create them. But general society is harmed by creating surveillance records that would make even the most staunch Stasi agent blush.


> Speaking about the benefits to one party while ignoring the harm to others is nonsensical.

But I did mention both parties. When I want credit it lets me understand my own risk profile and to manage it:

> They also let you know how risky you appear to be when you ask someone for a loan or credit.

> But general society is harmed by creating surveillance records that would make even the most staunch Stasi agent blush.

I think bad lending and borrowing is a major risk to society.


Speaking how one party can better conform to the other party's requirements is not an honest description of both perspectives.

Bad lending is better attributed to a mistaken belief that borrowers can be perfectly modeled to reduce variance. The economic crunch we're currently facing has been directly caused by cheap credit based on such assumptions which, once again, turn out to be suddenly correlated.


It seems like this is 'really about' a bunch of lawyers getting paid.


You just described every class action lawsuit.


How are the lawyers the bad guys in this data breach issue? Equifax, its what's for dinner.


It’s really a loss for consumers across the United States.

The reality is that a large part of the fintech sector still depends on the data provided by Equifax. Their data is also used for KYC and other security use cases.

We have started Truework (https://www.truework.com) to break that dependency and give consumers control of their data. If you’re interested to help us, please contact me by email.


The Work Number collects payroll information from employers without informing employees that they turn around and sell that information to third parties. They mislead people by saying they don't release pay information without employee authorization while neglecting to mention they sell everything else without asking permission or giving notification.

It looks like you're doing similar kinds of data collection directly from employers. If an employee doesn't request income verification or any other service from you folks, do you collect any data on that employee?


Can we force them not to collect this info via the recently passed CCPA in California?


wl, you summarized pretty well how it works indeed :-). A lot of players in the industry hides behind long legal documents.

In our case we get employee information from your employer but it’s never shared to third-parties by default. We always go through the process of notification to the employee before releasing any data and, as an employee, you can refuse to share that data. The requester is in a holding pattern until you consent to data sharing.

Hope that helps


Ultimately the purpose of your enterprise to help employers collude to suppress wages. Please shut it down and disappear. Otherwise I hope you die toiling in poverty.


> It’s really a loss for consumers across the United States.

> The reality is that a large part of the fintech sector still depends on the data provided by Equifax. Their data is also used for KYC and other security use cases.

> We have started Truework (https://www.truework.com) to break that dependency and give consumers control of their data. If you’re interested to help us, please contact me by email.

I would be curious to know more about how you give consumers control over their data. I took a look at your link but it is not clear to me.


Hey Vageli,

Thanks for your question. I wish our website was clearer :), but we’re working on that!

When Truework gets a request for data on you from a third-party we send you a notification to know whether or not you want to share your data with that third-party.

If you refuse, we will not share that data. It’s different from the current model that our competitors use, which is to just share right away.


Thank you for taking the time to respond :)

That is an interesting model, it seems to me that Truework would position itself as an identity aggregator of sorts. In that case, it seems a large challenge would be gaining the trust of organizations (which it seems you are succeeding at, congratulations!).

Among my worries are that this establishes a rather large target for data breach as presumably the company would hold identity docs and other documents used for authentication or verification purposes. Out of curiosity, since my experience is more in banking/healthcare, is Truework subject to any regulatory framework?


No problem!

Yes, earning trust is the most important piece. However, organizations are excited to participate once you show that you are the right security & privacy practices in place. We've had a lot of great momentum there.

For regulatory frameworks, it depends on the circumstances and the type of data that you are dealing with. For most of our use cases, it's:

* FCRA, aka Fair Credit Reporting Act that all Credit Reporting Agencies must follow.

* HIPAA, for health data

Of course, you have more generic frameworks such as CCPA, GDPR but that's true for all companies.


Once the 3rd party has a copy of the data, now they can freely share it with their 'partners and associated companies.' You're helping me, yes. But you're friction for a bank and I don't know how you could possibly stay in business for the long term in that position.


Right — curious how this company is truly doing anything different than Equifax? You’re still aggregating sensitive personal information and selling it to verifiers. What’s the long term plan to actually make a difference?


To offer a counter, some organizations would rather introduce friction if it limits their liability or reduces risk.


If I remember the settlement details, something like 75 million was for legal fees.

I bet they've been paid.


Why is the company that had the breach managing the payments? Surely it should be neutral third party who then just passes on the final bill.


Yeah, I'm pretty sure that neutral party should be the court.

If I get a fine, I'm sure I can't just wait a few years to pay it with no big deal behind that.


Call me cynical, but when I read the news of the breach I went and bought EFX call options for 3 months. Because even though I am not sure whether the "deep state" exists or it's a conspiracy theory, I was somehow confident that I was making a good investment. It has paid off handsomely indeed.


When you buy calls but don't have the capital to exercise those calls, do brokerage services lend you the money to collect on the gains assuming your call is in the black?

I have a pretty good stock portfolio, but I haven't dipped my toes into the call/put, futures, derivatives, "iron condors", etc. world yet.


In that case you simply sell the call, instead of exercising (assigning) it. I switched to selling puts instead since then.


Are your puts covered? How do you mitigate the risk of the stock going up?

I need to learn a lot more before doing this.


Yes, puts are covered for now. There are several standardized levels of account access to buying/selling options. I think selling naked puts requires Level 5 while selling covered puts requires Level 3. I recommend practicing buying options first, and selling the options that you have bought, before selling covered or naked options.


Selling puts is bullish. You are selling someone the option to sell you shares at a given price so if the stock goes up, you collect the premium (since no one will voluntarily sell you something at a lower price than the spot price). If the stock goes down, then you are buying shares at a price you presumably deemed sufficient to hold in the long term.


When you sell a put, the risk is in the stock going down, not going up.

So you need to have enough cash in the account to buy the stock at the strike price of the put (or be long longer dated or further out of the money puts).


The risk of the stock going up is that you make a lot of money :-)


It's usually in your best interest to sell the options before they expire as the extrinsic value decays every day. If they expire in the money, they are generally exercised and liquidated at the same time before market close of the expiry date.


I suppose the cost of the loan to exercise the option would be equal to the difference between that and selling the option?


I don’t get the connection?


I think GP is implying that you can trust to invest in institutions like Equifax because they are propped up by the government and 'too big to fail'. Not sure I agree, but then again, there's the proof.


He made more with those call options than anyone will ever get from the breach settlement.

I bought stock in one of their competitors (TRU) which was also down around the same time. Even with all the craziness in the markets, it's still up close to 80% in a little over 2.5 years.


Equifax has done well despite the breach.


I think I would have preferred the company be removed of their ability to collect credit information than any other penalty.


I suppose "the company be dissolved, its records thoroughly purged, and its ability to legally operate revoked" is a bit too much... though it shouldn't be.


Why is it a bit much? I think the "corporate death penalty" is appropriate when you fail to protect the financial history of 147 million people.


That was done for one of the US accounting companies, Arthur Andersen, related to Enron financials.

Noody, including the govt., was happy with the final result.

So although it should be on the table, in reality, it probably won't come from the govt.

https://en.wikipedia.org/wiki/Arthur_Andersen


How could the result have been any different or better? I don't see where anyone's claiming the government was unhappy with the final result. Rotten firms like this need to die.


The thing is that when the reasonable solution is "Stop the company doing its core competency" you need to realise that almost everything else the company does is going to be "exploit whatever it has left". So forcibly shutting down the company is far more reasonable than just stopping it from collecting credit information.


The US credit system is a bunch of bullshit anyway.

> "Good credit is for poor people" - words of a wealthy friend.


> > "Good credit is for poor people" - words of a wealthy friend.

By "poor" he likely means anyone who has to borrow for anything, including a home (60% of homeowners) or auto purchase (44% of individuals). So basically just about anyone who has to work for a living.

He probably also means "worrying about credit", vs "using credit as a financial optimization tool"

EDIT: changed "households" to "homeowners". 65% of Americans are homeowners, which means 65% * 60% = 39% of Americans have mortgage debt. Note that credit score matters a lot for those who rent also, since many of them are saving for a down payment for a mortgage, and most landlords require a credit report if you hope to rent their properties.


There's no way that only 60% of households borrow for a home. It might be that only 60% are borrowing against their home right now, but in that case you're probably talking about 99% of the people not borrowing against their home being pensioners. Those aren't particularly rich people, they're just in a different part of their life. (It also wouldn't matter if they were credit worthy because no one is going to give a mortgage to an 83 year old)


He didn't specifically say that it was 60% of homeowners. Could be 60% of households have mortgages, the other 40% either own outright or rent.


I don't get it. It seems like keeping good credit is easy. Why can't you have good credit and be wealthy?


Rich people mightn't have a stellar credit score, but they're still creditworthy.

Your credit report is really a way of automating what a bank manager would have done at some point for every customer, i.e examine your finances, references, legal history, etc.

It's really just a model for consumer creditworthiness of someone earning under the 95% percentile of wealth. As it's needlessly laborious for a bank manager to examine you in depth for a $5'000 dollar credit card.

Credit scores are not a factor in nearly any big loan. One might be utilising most of their available credit (as their limit is low), or have failed a few hard searches. In the case of a big loan like a mortgage, it's not so automated and is worth digging deeper.

When you're rich, every loan is a big loan - and it's worth the bank's time determining how much they should lend to you on a case by case basis.


Great explanation!


Wealthy people don't need credit cards, car loans, and mortgages, and most other kinds of loans that would show up on a credit history. They may use them, and if they do they should have a really good score unless they're bad with money. But if they choose not to (as they'd be able to, more easily than others at least), there score would drop until their credit history was blank.


I would bet the vast majority of wealthy people have substantial debt. I mean, if you're going to buy a $10M home, why would you use your own money when the bank will load it to you for next to nothing?


Not every loan goes to the credit bureaus. Wealthy people have access to many more credit vehicles than the rest of us.


You can but few do. Credit Reference Agencies monitor your use of credit. They do so imperfectly but they don't see any non-credit transactions at all.

So for example I wouldn't describe myself as wealthy but I'm comfortable. I don't like debt. So, CRAs see only the faintest shadow of me. For you I've just logged into an account to see the Equifax data for myself.

Equifax scores me 459/700. It knows I exist (because I have registered to vote and I pay tax) and it knows I have a mobile telephone contract. It has no idea I have a credit card (I do, though it automatically pays off the balance every month) and of course it has no idea I own a home, since I did not take out debt to purchase it, nor does it have any idea that I don't currently have a job.

459 isn't terrible, but it's not great even though I'd actually be a completely safe risk for even a relatively large credit purchase such as a yacht or small house. It has no insight into that, so it can't judge.


I imagine extremely wealthy people buy everything cash.


Extremely wealthy people have a tax-shell liability-shielded offshore trust operating company buy things for their benefit using leveraged debt secured on junk assets.

In the rare case where for some compliance reason they must have a more direct link to the asset, they’ll transfer the item to a holding entity (in which they have indirect but controlling interest) and then lease it back.

If the unthinkable occurs and a very wealthy person commits to actually buying something directly themselves by mistake, they (or rather, their staff) will demand delivery before payment and then either stiff you on the bill or pay at most 70% of it, six to eighteen months later.

These are practices established centuries ago by the British aristocracy and remain alive today.


Extremely wealthy people (i.e. 9-digit+ net worth) have teams of lawyers and accountants that figure out the optimal way to allocate the client's cash to achieve their goals. That may or may not include incurring debt, etc. Rich people borrow money too (not because they need to, but because it ultimately can make more financial sense to do so).

(there are of course exceptions to this, there are rich people bad with money or who want to look like they're richer than they actually are, but in general rich people stay rich by being smart about their money)


Wealthy people don't leave money on the table. If they can earn "free money" with a credit card point game, then why not?

Some of the cheapest people I know are wealthy. Cheap as in, they negotiate the hardest for the lowest price, even though it is meaningless to them. I have been told out right on more than one occasion that it's not about trying to make something affordable, but more of the shear enjoyment of making someone else take less just because they can.


Second this. When my extremely wealthy CEO overheard I was in the market for a new vehicle, he happily volunteered to get on the phone and pit 3 local Ford dealerships against each other in a bidding war for my business. I ended up saving an additional 12% off what I thought was already a discounted price. I think a majority of us regular people don't know how to tap into that ruthless negotiation when buying cars, houses, mattresses, etc.


It's more complicated then this:

They indeed tend to not by thinks on rates, so not to much "uplift" in your scores.

People which are wealthy tend to also try to get higher credits (for it to be worth it) and buy more expensive thinks so if they messup it's often much more expensive for banks.

Not all people can handle money so there are a bunch of people which will never stay wealthy. Combined with the point above => higher rise.

Some care less for penalties when paying late and might "optimize" payments in ways which are not always mean on time/good for the score.

Lastly there are a bunch of wealthy people which optimized there business so that they only earn as much money as they need. They can always increase it but the banks can't trust this so the only see a person which might have problems paying back. (Note that not all of this people do illegal or unmoralic practices, some just only work as much as they need and not any bit more).

Lastly there is a simple question:

What does it mean if a rich/wealthy person _needs_ a credit?

(Btw. it's a different matter if it's not a private credit but for a company.)


I assumed it meant wealthy people continually get a clean slate when they mess up. So there is no concept of maintaining credit when allotted unlimited "redo's".


.. at least in the US, this is not true.. some wealthy people have serious marks on their credit scores and it does follow you


I figured it was the opposite.


The rich don't need to care about credit. Having good credit only enables you to borrow more money.


Uhhh no. Rich people leverage their good credit and assets to become even richer.


Exactly and poor people rack up debt and can't even pay them back. How does that equate to good credit?


If it’s anything like the British aristocracy then “wealthy” people are deeply in debt all the time anyway and leveraged to the hilt and one crisis away from bankruptcy (bad credit) but keep getting loans because of their status. Is that what they meant?


I assume it means: You don't care about your credit score once you have a certain amount of money, because the limits of a bad score do not really impact you:

- Not approved for a car/house/boat loan? Sell some investments and pay cash. - Turned down for a credit card? Get a secured card, or even a pre-paid card. Or carry cash. - Turned down for a cell phone plan? Buy prepaid.


no, it means you dangle boatloads of potential fees and illusions of assets under management in front of the banker's eyes, like trump did with deutsche bank, and then watch the loans spew forth unencumbered by a silly third-party "score".


Is there a reason the triopoly (with Experian and Transunion) persists? I know the bond raters have some government granted status. If it’s the same situation for Experian, maybe they could lose that status to some other company?


Inertia, I assume. You can't get any kind of serious loan without a report from all three, and other things like background checks and rentals usually have one or two they prefer.


I recall reading that Plaid (now acquired by Visa) was working on creating its own credit scoring service.


How could consumers force this outcome?

Is there anything we can (collectively) do?


Everyone has to stop using services from financial institutions who use Equifax (i.e. almost all of them) until they cut ties with Equifax. If millions of people cancel close their BoA account in a single day, I imagine BoA would dump Equifax.

Of course, like most vote with your wallet schemes, this would never work in the real world. Anything that requires collective action of millions or billions of individuals, will either die with a whimper or make its way to history books as a once-in-a-century event. We cannot solve climate change by boycotting polluting companies; there is no way enough people join the boycott to make a difference. This is the same.

Like climate change, the only realistic path of success is political pressure. Equifax will remain as is as long as the legislature leaves them alone. If you want this to change, get involved in politics, write to your politicians, run for office.


Yes, it is called activism.

Here is the formula:

0. Start up a nonprofit with the sole intention of eliminating nontransparent consumer credit reporting and data collection.

1. Come up with a charter for the organization.

2. Promote the organization (distribute pamphlets, have public meetings, speak at colleges, lecture halls, churches, newspaper op-eds, etc).

3. Attract like minded people.

4. Raise funds.

5. Promote and support politicians with similar objectives or convince existing politicians through lobbying.

6. Change local state laws change to ban the practice.

7. Change state laws for a majority of states in the US to ban the practice.

8. Change federal laws to ban the practice.

9. Block and impede efforts by greedy companies to reverse the new regulation.


You made a typo, step 4 was meant to be "Raise funds by selling your organisation to Ethos capital"


What is Ethos Capital?


They're the guys buying .org so they can jack up the prices.


Vote. Vote in the primaries. Vote in local elections. Vote in federal elections. Vote for people who will make their business model, in the manner they practice it, illegal.

If you don't want to vote, you can get even better ROI if you convince other people to vote instead.

As a consumer you can't do anything. You are not their customer. They are not accountable to you. As a citizen, you have power. They require your permission to operate.



Opting out should be available

And a corporate death penalty should exist. Destroy the company completely.


I was hoping that such an egregious case would merit at least an enforced slap on the wrist. I guess even the talk of insider trading did not change that outcome. This, along with other recent events, suggests that justice system is tiered. This does not bode well for the future of the republic.


I want to sue the credit agencies for stalking me.


Would you need to first file a retraining order, or can you just jump straight into litigation?


In America, you can always jump straight to litigation. It doesn't mean you'll win, and Equifax almost certainly has deeper pockets than you do.


The deeper pockets wouldn’t be the problem. You give permission to financial institutions to share your data with the credit reporting bureaus, so good luck fighting that in court.


Do you really give permission/consent, or just accept the fact that you have no choice in the matter. A guy puts a gun in your face and says give me your wallet. You're not giving him permission to take your belongings. You're just doing what you have to do. Yes, I am equating the terms modern financial systems use as a gun in my face.


where can I find a good summary/timeline of events of this whole Equifax breach?

EDIT: googled, reading this[1] now.

1- https://www.csoonline.com/article/3444488/equifax-data-breac...


I doubt that headline is really correct: likely the lawyers have some cash to show for their efforts. Who cares about the actual claimants?


Have the lawyers been paid?


In a surprise to no one...


The data has never surfaced. I have to wonder if anybody who claims they had direct identity theft because of the breach automatically loses their claim.

https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the...

It's interesting that most coverage of the incident ignores that detail. I guess people really dont like to hear it because it doesnt fit their narrative. Whatever this interest.com article is, it has very little value. It reads like seo spam. It doesn't discuss any of the developments in the last three weeks, such as Chicago, Indiana, Massachusetts all working out settlements.


I'm surprised to just be learning that it was probably a governmental cyberattack.


China at this point has an amazing blackmail database — just correlate credit information with LinkedIn and Facebook data, and it’s trivial to find people with clearances or access to corporate secrets that you can get leverage on. Combine that with their attempted purchase of Grindr and other dating apps and you see a pattern.


Like I said, it doesn't fit the narrative of "data collectors = bad", it doesn't create the right emotional response, it doesnt help people hate equifax more, so it gets suppressed and immediately downvoted, on any forum.

Equifax can both be negligent and immoral AND not have caused any systemic identify thefts (that we know of, yet) from the event. I do think "a foreign government got the data on me" drastically shifts what the future threat from the exposure is, which should also change the settlement that was made under the pretense of them leaking data to traditional identity thieves or a black market.


> Like I said, it doesn't fit the narrative of "data collectors = bad", it doesn't create the right emotional response, it doesnt help people hate equifax more, so it gets suppressed and immediately downvoted, on any forum.

Have you considered that this might be caused by blind spots in your own news consumption?

For example, you previously linked to an article from 2019 that suggest the breach might have been a governmental attack, but you seem to have ignored the fact that 4 PLA members were indicted in February. There was widespread news coverage about this, including multiple submissions on this very forum. https://news.ycombinator.com/item?id=22289826 does not look like it was "suppressed and immediately downvoted".


To be clear, are you saying that in order for a data breach to be considered legitimate, the plundered data needs to be released publicly?


Part of the claims process for this settlement was stating that you suffered losses due to the breach.

If they can prove that the data never leaked, then everyone's claim becomes invalid, because you didn't suffer any losses from the breach.


Even if you did not have your identity stolen yet, losses from the breach can be as simple as "I bought an identity monitoring service due to the breach happening." It says so on the settlement's website: https://www.equifaxbreachsettlement.com/

"Time Spent during the Extended Claims Period recovering from fraud, identity theft, or other misuse of your personal information caused by the data breach"

In this case, the "misuse of [my] personal information" is the fact that it was leaked by Equifax to an unknown third party.

> If they can prove that the data never leaked,

I don't know how this would be possible, considering they announced that it did leak: "In September of 2017, Equifax announced it experienced a data breach"

Unless you mean, prove that the data has not been used yet. Which doesn't seem like a fair stipulation to the ~150 million impacted people. And it also doesn't seem possible to prove.


I want to be clear; I am not trying to downplay the severity of this. On the contrary, it's probably worse. The pretenses under which the settlement were made, was a faulty understanding of reality. Despite that, it doesnt give me the moral authority to lie for a piece of the faulty claim.

What I mean by that, is that we were told there was a breach, and that if we signed up for credit monitoring services we were entitled to money. We were told to use our time to freeze our accounts. That however, did nothing to protect us from what actually happened. A nation states military collected the data. That is arguably worse than it being used by cyber criminals to take out loans and credit cards. We were given the impression that we needed to protect ourselves from people opening accounts in our names or using the data to access accounts. That in no way reflects what risk we are actually exposed to.

Equifax put us in harms way of a MILITARY. Not petty identity theft. How do you even quantify what kind of threat that is? The settlement doesn't reflect that. It doesnt mean that despite the settlement not reflecting reality, that I should go say they owe me $125 dollars for credit monitoring services. Especially when damn near every bank in the country offers it for free. Tons and tons of press were saying "if you already have credit monitoring services, just fill out the form." It doesn't work that way, and because Im not getting compensated for a Military threat, doesnt make it ok to claim what I am not entitled to. It doesnt make up for it. There is no way to quantify what the monetary damage of the threat actually is. There is no way to know how 20 or 30 years down the road it could make travel more dangerous. Just because the settlement is wrong, doesnt make it right to file a false claim.

If people really did go pay for credit monitoring (not free stuff they signed up for or already had), or did spend lots of time freezing credit, they do deserve compensation for time wasted based on equifax giving us the wrong information. But since I was not harmed in the way they told me I was when they made the settlement, I shouldnt be ethically entitled to settlement money dolled out under false pretenses. Two wrongs don't make a right, nor do they make us whole.

>"Time Spent during the Extended Claims Period recovering from fraud, identity theft, or other misuse of your personal information caused by the data breach"

If we agree that the data has never left the government that collected it; we can determine there was no fraud, identity theft, or misuse, then I could not have spent time "recovering from it." How do you even know how to "recover" from a military collecting data on you?

>Which doesn't seem like a fair stipulation to the ~150 million impacted people.

The real victims could be large organizations who are penetrated using the data to answer security questions or verifications. I still find it unlikely this data has yet been used in a direct attack against the impacted people.

This all stemmed from me asking if providing false information to a claim could make you ineligible. I would consider it false information to say "i was directly attacked and spent time performing recovery actions and had money stolen from me" due to this breach (as far as we know, nobody has yet had an incident because of it, and there is no actual way to recover, short of an emp burst), or to claim that the free credit monitoring I already had counts towards some kind of time wasted credit. It is my opinion, that the intent of "Time Spent during the Extended Claims Period recovering from fraud" IMPLIES there was some kind of fraud that occurred to some people, and that isnt the case. And the large claims against this settlement are for MONEY LOST due to direct attacks. Those are the types of settlement claims I am asking if could be made invalid.

This is what the settlement site says right now.

>If you were impacted by the Equifax data breach, you may seek reimbursement for valid Out of Pocket losses or Time Spent (excluding losses of money and time associated with freezing or unfreezing credit reports or purchasing credit monitoring or identity theft protection) incurred during the Extended Claims Period if you have not received reimbursement for the claimed loss through other means.

>Out-of-Pocket Losses during the Extended Claims Period resulting from the data breach up to $20,000.

It is an odd magicians distraction, a ruse of sorts. Their settlement covers events that didn't occur to anyone, and imply the wrong future risks. Anybody who applied for this part of the claim gave false information. IF nobody had true out of pocket losses (excluding credit monitoring or time freezing) there is no legitimate claim for this part of the settlement. QED.


To the contrary, it makes this story all the more interesting. It certainly brings a new wrinkle to a news event I hadn't thought about in a while.


no, i dont think i said that.


Presuming you do think it is a legitimate data breach then, why did you suggest that victims should lose their claim to having been caught up in it?

Do you not think their (and probably your, if you're American) position of anxiety and their personal information being used nefariously is worthy of being made right? The data does not need to "surface" for it to have been used to steal someone's identity.


From a legal perspective, does providing incorrect information to a settlement somehow make your claim invalid?

People were using the correlation of "I had an identity breach around this time, it must be causation" as part of their claim. If your identity is stolen by a different party, simultaneously, how do you legally have a right to use that against a different party?

Did you read the article? The data likely hasnt been used yet, it was likely stolen by a government that is holding it for their own purposes, not using it for credit card theft.


> "I had an identity breach around this time, it must be causation" as part of their claim. If your identity is stolen by a different party, simultaneously, how do you legally have a right to use that against a different party?

I don't quite follow - do you mean "leaked" by a different party simultaneously? If that's the case, then yes, maybe it is hard to tell which party's data got scooped up by the Bad Guys. And you'd have a hard day in court against even a single actor leaking your data in the US, since it's not a strict liability crime.

In this case it doesn't matter. I did read the article: it says Equifax agreed to a settlement and they need to pay out. They haven't paid out yet. Whatever happens after that agreement doesn't retroactively invalidate the settlement. A settlement is to make the whole thing go away, regardless of whether the breach turned into an identity disaster or a Nothingburger.


The settlement is an independent event from validating claims to the settlement.

>I don't quite follow - do you mean "leaked" by a different party simultaneously?

Yes

And, from my limited understanding of the case, the settlement is not set it stone. There are still appeals, the settlement has not been accepted universally. They apparently dont need to pay out while they still have their days in court. https://outline.com/zL6mgP

>Under the settlement terms, cash benefits cannot be paid, and credit monitoring, credit restoration and identity protection services remain on hold until the objectors’ appeals are resolved.


The appeals to the settlement you linked are about the appropriate compensation for the plaintiffs, not about whether claimants are eligible.

I'm not sure how one would prove their identify theft was specifically due to Equifax's data breach even if the leaked data were available, so I don't understand that that could be a condition for a claim to be valid. My interpretation is that your claim is valid if you had data with Equifax and you subsequently spent time or money establishing credit monitoring or identity theft resolution.

If there's more to it than that, and Equifax has arranged the settlement such that a claimant has to somehow prove the source of their identity theft was Equifax, then yes, I agree even more strongly with the "Equifax bad" narrative you decried upstream. That would be impossible to prove, even if the data did surface.


If you can prove the data has never been made available, you can prove it wasnt used.

If you can prove that data existed previously, the data used came from somewhere else, you essentially prove it didn't come from this breach. You would do this by catching the people responsible for identity theft, and identifying what data source they used. It would be very unlikely for equifax or anyone to go through this trouble or risk the bad press of attacking victims (even if they are somebody elses victims.)

>My interpretation is that your claim is valid if you had data with Equifax and you subsequently spent time or money establishing credit monitoring or identity theft resolution.

I believe there were different types of claims, one being credit monitoring, and another that your data was used against you.


> If you can prove the data has never been made available, you can prove it wasnt used.

Considering that Equifax announced they experienced a data breach, it is clear the data has been made available to someone that isn't Equifax. So I don't know why we're entertaining that avenue, when it's admitted that the data has left the purview of the entity to which it was trusted.

I think we agree that it's very hard if not impossible to determine the source of identity theft. I believe that even if the data were made public, we would not be any closer to making most of those determinations. Which is why whether or not we've "seen" the data from this breach, to me, is immaterial - the fact that the breach happened in the first place caused people to enroll in credit monitoring, suffer emotional distress, and other quantifiable damages/expenses that would not have happened had there not been a breach.

That all seems to be perfectly within the scope of "time spent recovering from [...] other misuse of your personal information caused by the data breach" outlined on the settlement website[0] as validity to a claim. The "misuse of [my] personal information" happened the moment the data left Equifax's servers. It has nothing to do with whether the data got used for identity theft (yet) or shared by the thieves.

It does not say "you must prove that the pieces of your identity that were stolen came specifically from this data breach", or "if it turns out whoever stole the data sits on it for a while, then you don't get compensated" -- these are impossible stipulations, and we should hold Equifax to a higher standard in this landmark case.

[0]: https://www.equifaxbreachsettlement.com/


I think the point OP was making that if the data hasn't surfaced, then you cannot confirm if a particular case of identity theft has been caused by the breach.


That's a fair line of thought, but their comment was: data hasn't surfaced -> can't know where an identity theft came from -> Equifax petitioners lose their right to the settlement

When the reality is: Equifax agreed to pay a settlement -> Equifax has not yet paid yet (and whether the material surfaces or not was not a stipulation of the settlement that they agreed to)


>data hasn't surfaced

What it really comes down to, is if "data hasn't surfaced" means "we dont know if the data was used" or if "data hasn't surfaced" is something you can prove hasnt happened. It's the difference between "we dont know" or "we know your identity theft wasnt related to this."


So in your "narrative" do social security numbers and other sensitive personal details have some sort of expiration date where if they don't "surface" within a certain time frame they are no longer useable?


if they never surface, are they usable? if they are used by a government but not to steal, how do you quantify the damage?


What an absurd implication. Just because something doesn't end up in a massive file dump on the dark web doesn't somehow mean it's not usable. Quite the opposite its actually too valuable to dump on the dark web.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: