Equifax tries to explain its response to a massive security breach

And here's what you should do next.


A day after announcing that hackers stole personal information tied to 143 million people in the US, Equifax's response to the breach has come under scrutiny. Language on the website where people could find out if they were affected seemed to say that by signing up they would waive any right to join a class action suit against the company -- something New York Attorney General Eric Schneiderman said is "unacceptable and unenforceable." The company has since explained it does not apply to the data breach at all, but that hasn't stopped misinformation from spreading.


In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident,

Of course, considering the extent of what has leaked and the number of people affected, a hyperbolic reaction to anything surrounding this incident is understandable. A group claiming to be the hackers behind the theft has threatened to release it unless paid a ransom, but there's no confirmation yet that they actually have anything. As far as how it happened, one analyst told the New York Post that Equifax attributed the hack to the exploitation of a flaw in the Apache STRUTS system. Still, there are a few steps that people can and should take, now that we know someone has stolen more than enough information to perpetrate identity theft on a massive scale.

Now that the language has been clarified, it appears legally clear to use Equifax's website to check things out. Among Engadget staff, a few of us received notices that we aren't among those impacted, but most weren't so lucky. Still, there are questions about how secure the site itself is, since it requests the last six digits of each person' social security number (and guessing first three isn't as hard as you might think). Also, it doesn't appear to work particularly well, responding to test and "gibberish" input with a claim that it's part of the breach also.

The best information on how to respond is available from the FTC. The government agency lays out solid next steps, like checking your credit report for any suspicious entries, as well as placing a freeze (there's more advice on that here) and/or fraud alert on your account with the major credit bureaus. This will make it harder for a thief to create a fake account for you and should force creditors to verify your identity. Finally, it's important to file your taxes early, before a scammer potentially can.