The data has never surfaced. I have to wonder if anybody who claims they had direct identity theft because of the breach automatically loses their claim.
It's interesting that most coverage of the incident ignores that detail. I guess people really dont like to hear it because it doesnt fit their narrative. Whatever this interest.com article is, it has very little value. It reads like seo spam. It doesn't discuss any of the developments in the last three weeks, such as Chicago, Indiana, Massachusetts all working out settlements.
China at this point has an amazing blackmail database — just correlate credit information with LinkedIn and Facebook data, and it’s trivial to find people with clearances or access to corporate secrets that you can get leverage on. Combine that with their attempted purchase of Grindr and other dating apps and you see a pattern.
Like I said, it doesn't fit the narrative of "data collectors = bad", it doesn't create the right emotional response, it doesnt help people hate equifax more, so it gets suppressed and immediately downvoted, on any forum.
Equifax can both be negligent and immoral AND not have caused any systemic identify thefts (that we know of, yet) from the event. I do think "a foreign government got the data on me" drastically shifts what the future threat from the exposure is, which should also change the settlement that was made under the pretense of them leaking data to traditional identity thieves or a black market.
> Like I said, it doesn't fit the narrative of "data collectors = bad", it doesn't create the right emotional response, it doesnt help people hate equifax more, so it gets suppressed and immediately downvoted, on any forum.
Have you considered that this might be caused by blind spots in your own news consumption?
For example, you previously linked to an article from 2019 that suggest the breach might have been a governmental attack, but you seem to have ignored the fact that 4 PLA members were indicted in February. There was widespread news coverage about this, including multiple submissions on this very forum. https://news.ycombinator.com/item?id=22289826 does not look like it was "suppressed and immediately downvoted".
Even if you did not have your identity stolen yet, losses from the breach can be as simple as "I bought an identity monitoring service due to the breach happening." It says so on the settlement's website: https://www.equifaxbreachsettlement.com/
"Time Spent during the Extended Claims Period recovering from fraud, identity theft, or other misuse of your personal information caused by the data breach"
In this case, the "misuse of [my] personal information" is the fact that it was leaked by Equifax to an unknown third party.
> If they can prove that the data never leaked,
I don't know how this would be possible, considering they announced that it did leak: "In September of 2017, Equifax announced it experienced a data breach"
Unless you mean, prove that the data has not been used yet. Which doesn't seem like a fair stipulation to the ~150 million impacted people. And it also doesn't seem possible to prove.
I want to be clear; I am not trying to downplay the severity of this. On the contrary, it's probably worse. The pretenses under which the settlement were made, was a faulty understanding of reality. Despite that, it doesnt give me the moral authority to lie for a piece of the faulty claim.
What I mean by that, is that we were told there was a breach, and that if we signed up for credit monitoring services we were entitled to money. We were told to use our time to freeze our accounts. That however, did nothing to protect us from what actually happened. A nation states military collected the data. That is arguably worse than it being used by cyber criminals to take out loans and credit cards. We were given the impression that we needed to protect ourselves from people opening accounts in our names or using the data to access accounts. That in no way reflects what risk we are actually exposed to.
Equifax put us in harms way of a MILITARY. Not petty identity theft. How do you even quantify what kind of threat that is? The settlement doesn't reflect that. It doesnt mean that despite the settlement not reflecting reality, that I should go say they owe me $125 dollars for credit monitoring services. Especially when damn near every bank in the country offers it for free. Tons and tons of press were saying "if you already have credit monitoring services, just fill out the form." It doesn't work that way, and because Im not getting compensated for a Military threat, doesnt make it ok to claim what I am not entitled to. It doesnt make up for it. There is no way to quantify what the monetary damage of the threat actually is. There is no way to know how 20 or 30 years down the road it could make travel more dangerous. Just because the settlement is wrong, doesnt make it right to file a false claim.
If people really did go pay for credit monitoring (not free stuff they signed up for or already had), or did spend lots of time freezing credit, they do deserve compensation for time wasted based on equifax giving us the wrong information. But since I was not harmed in the way they told me I was when they made the settlement, I shouldnt be ethically entitled to settlement money dolled out under false pretenses. Two wrongs don't make a right, nor do they make us whole.
>"Time Spent during the Extended Claims Period recovering from fraud, identity theft, or other misuse of your personal information caused by the data breach"
If we agree that the data has never left the government that collected it; we can determine there was no fraud, identity theft, or misuse, then I could not have spent time "recovering from it." How do you even know how to "recover" from a military collecting data on you?
>Which doesn't seem like a fair stipulation to the ~150 million impacted people.
The real victims could be large organizations who are penetrated using the data to answer security questions or verifications. I still find it unlikely this data has yet been used in a direct attack against the impacted people.
This all stemmed from me asking if providing false information to a claim could make you ineligible. I would consider it false information to say "i was directly attacked and spent time performing recovery actions and had money stolen from me" due to this breach (as far as we know, nobody has yet had an incident because of it, and there is no actual way to recover, short of an emp burst), or to claim that the free credit monitoring I already had counts towards some kind of time wasted credit. It is my opinion, that the intent of "Time Spent during the Extended Claims Period recovering from fraud" IMPLIES there was some kind of fraud that occurred to some people, and that isnt the case. And the large claims against this settlement are for MONEY LOST due to direct attacks. Those are the types of settlement claims I am asking if could be made invalid.
This is what the settlement site says right now.
>If you were impacted by the Equifax data breach, you may seek reimbursement for valid Out of Pocket losses or Time Spent (excluding losses of money and time associated with freezing or unfreezing credit reports or purchasing credit monitoring or identity theft protection) incurred during the Extended Claims Period if you have not received reimbursement for the claimed loss through other means.
>Out-of-Pocket Losses during the Extended Claims Period resulting from the data breach up to $20,000.
It is an odd magicians distraction, a ruse of sorts. Their settlement covers events that didn't occur to anyone, and imply the wrong future risks. Anybody who applied for this part of the claim gave false information. IF nobody had true out of pocket losses (excluding credit monitoring or time freezing) there is no legitimate claim for this part of the settlement. QED.
Presuming you do think it is a legitimate data breach then, why did you suggest that victims should lose their claim to having been caught up in it?
Do you not think their (and probably your, if you're American) position of anxiety and their personal information being used nefariously is worthy of being made right? The data does not need to "surface" for it to have been used to steal someone's identity.
From a legal perspective, does providing incorrect information to a settlement somehow make your claim invalid?
People were using the correlation of "I had an identity breach around this time, it must be causation" as part of their claim. If your identity is stolen by a different party, simultaneously, how do you legally have a right to use that against a different party?
Did you read the article? The data likely hasnt been used yet, it was likely stolen by a government that is holding it for their own purposes, not using it for credit card theft.
> "I had an identity breach around this time, it must be causation" as part of their claim. If your identity is stolen by a different party, simultaneously, how do you legally have a right to use that against a different party?
I don't quite follow - do you mean "leaked" by a different party simultaneously? If that's the case, then yes, maybe it is hard to tell which party's data got scooped up by the Bad Guys. And you'd have a hard day in court against even a single actor leaking your data in the US, since it's not a strict liability crime.
In this case it doesn't matter. I did read the article: it says Equifax agreed to a settlement and they need to pay out. They haven't paid out yet. Whatever happens after that agreement doesn't retroactively invalidate the settlement. A settlement is to make the whole thing go away, regardless of whether the breach turned into an identity disaster or a Nothingburger.
The settlement is an independent event from validating claims to the settlement.
>I don't quite follow - do you mean "leaked" by a different party simultaneously?
Yes
And, from my limited understanding of the case, the settlement is not set it stone. There are still appeals, the settlement has not been accepted universally. They apparently dont need to pay out while they still have their days in court. https://outline.com/zL6mgP
>Under the settlement terms, cash benefits cannot be paid, and credit monitoring, credit restoration and identity protection services remain on hold until the objectors’ appeals are resolved.
The appeals to the settlement you linked are about the appropriate compensation for the plaintiffs, not about whether claimants are eligible.
I'm not sure how one would prove their identify theft was specifically due to Equifax's data breach even if the leaked data were available, so I don't understand that that could be a condition for a claim to be valid. My interpretation is that your claim is valid if you had data with Equifax and you subsequently spent time or money establishing credit monitoring or identity theft resolution.
If there's more to it than that, and Equifax has arranged the settlement such that a claimant has to somehow prove the source of their identity theft was Equifax, then yes, I agree even more strongly with the "Equifax bad" narrative you decried upstream. That would be impossible to prove, even if the data did surface.
If you can prove the data has never been made available, you can prove it wasnt used.
If you can prove that data existed previously, the data used came from somewhere else, you essentially prove it didn't come from this breach. You would do this by catching the people responsible for identity theft, and identifying what data source they used. It would be very unlikely for equifax or anyone to go through this trouble or risk the bad press of attacking victims (even if they are somebody elses victims.)
>My interpretation is that your claim is valid if you had data with Equifax and you subsequently spent time or money establishing credit monitoring or identity theft resolution.
I believe there were different types of claims, one being credit monitoring, and another that your data was used against you.
> If you can prove the data has never been made available, you can prove it wasnt used.
Considering that Equifax announced they experienced a data breach, it is clear the data has been made available to someone that isn't Equifax. So I don't know why we're entertaining that avenue, when it's admitted that the data has left the purview of the entity to which it was trusted.
I think we agree that it's very hard if not impossible to determine the source of identity theft. I believe that even if the data were made public, we would not be any closer to making most of those determinations. Which is why whether or not we've "seen" the data from this breach, to me, is immaterial - the fact that the breach happened in the first place caused people to enroll in credit monitoring, suffer emotional distress, and other quantifiable damages/expenses that would not have happened had there not been a breach.
That all seems to be perfectly within the scope of "time spent recovering from [...] other misuse of your personal information caused by the data breach" outlined on the settlement website[0] as validity to a claim. The "misuse of [my] personal information" happened the moment the data left Equifax's servers. It has nothing to do with whether the data got used for identity theft (yet) or shared by the thieves.
It does not say "you must prove that the pieces of your identity that were stolen came specifically from this data breach", or "if it turns out whoever stole the data sits on it for a while, then you don't get compensated" -- these are impossible stipulations, and we should hold Equifax to a higher standard in this landmark case.
I think the point OP was making that if the data hasn't surfaced, then you cannot confirm if a particular case of identity theft has been caused by the breach.
That's a fair line of thought, but their comment was: data hasn't surfaced -> can't know where an identity theft came from -> Equifax petitioners lose their right to the settlement
When the reality is: Equifax agreed to pay a settlement -> Equifax has not yet paid yet (and whether the material surfaces or not was not a stipulation of the settlement that they agreed to)
What it really comes down to, is if "data hasn't surfaced" means "we dont know if the data was used" or if "data hasn't surfaced" is something you can prove hasnt happened. It's the difference between "we dont know" or "we know your identity theft wasnt related to this."
So in your "narrative" do social security numbers and other sensitive personal details have some sort of expiration date where if they don't "surface" within a certain time frame they are no longer useable?
What an absurd implication. Just because something doesn't end up in a massive file dump on the dark web doesn't somehow mean it's not usable. Quite the opposite its actually too valuable to dump on the dark web.
https://www.cnbc.com/2019/02/13/equifax-mystery-where-is-the...
It's interesting that most coverage of the incident ignores that detail. I guess people really dont like to hear it because it doesnt fit their narrative. Whatever this interest.com article is, it has very little value. It reads like seo spam. It doesn't discuss any of the developments in the last three weeks, such as Chicago, Indiana, Massachusetts all working out settlements.