Your Social Security number is worth $125 — in the eyes of Equifax, at least.
The Federal Trade Commission reached a settlement with Equifax over a data breach that affected an estimated 147 million Americans — one of the largest data breaches in U.S. history.
Equifax, a credit reporting agency, leaked consumers’ most sensitive information, including 145.5 million Social Security numbers. Other private data such as addresses, dates of birth, driver’s license numbers and credit card numbers were also leaked.
The settlement allows affected consumers, roughly half of all U.S. adults, to file a claim for one of the following:
- Up to 10 years of free credit monitoring services.
- A payout up to $20,000 if you can prove you invested time or money into identity theft services because of the breach.
- A one-time payment up to $125 if you can show that you have current credit monitoring services.
The settlement allocates a maximum of $425 million for individual compensation, but the FTC worries the estimated 147 million Americans won’t see anywhere near the amount they try to claim. And by submitting a claim, consumers are waiving their rights to personally sue Equifax for any damages caused by the 2017 breach.
The current allotment for individual compensation factors in enough money for only 3.4 million Americans to claim $125. That’s less than 3% of affected consumers.
Claims must be submitted by Jan. 22, 2020.
Starting in 2020, all consumers are eligible for up to six free Equifax credit reports per year for seven years.
Codetic reached out to the Equifax settlement administrator to see how many people have submitted a claim. A representative for the administrator declined to comment by phone about whether that information is available.
Equifax Data Breach: A Quick Recap of What Happened
In March 2017, Equifax’s security team failed to patch its network for four months after it became aware of what the FTC calls a “critical security vulnerability.” Hackers then allegedly exploited that vulnerability to gain access to its network.
A release from the FTC on the July 2019 settlement described the breach as “preventable.”
“A company investigation revealed that multiple hackers… accessed an unsecured file that included administrative credentials stored in plain text. These credentials allowed the hackers to gain access to vast amounts of consumers’ personally identifiable information.”
Bur Equifax said it “denies any wrongdoing, and no judgment or finding of wrongdoing has been made.”
What the Equifax Breach Means for Consumers — and How to Act
Considering the hacks impacted roughly half of all American adults’ most sensitive information, every consumer should check to see if their information was compromised.
On the official settlement website, you can check whether your data was breached in seconds. Your last name and the last six digits of your Social Security number are required.
The only government-approved website is Equifaxbreachsettlement.com. Experts warn that additional identity theft can occur if consumers use fake websites to check if their information was stolen.
If your data was breached, you should consider your options before claiming the cash, says assistant professor Sagar Samtani, a cyber security and dark web expert at the University of South Florida’s Muma College of Business.
Should You Claim the Money?
There are unintended consequences to consider when applying for the money.
Samtani worries that the low payout amount of $125 could lead consumers to believe that the breach wasn’t as serious as it is. He says that once hackers get a hold of such sensitive information, they can sell and resell it on the dark web as many times as they want since it’s not a physical object.
“Once that information is out there, it’s out there,” he said. “The problem could potentially last forever.”
Another issue boils down to simple math: Equifax allotted a maximum of $425 million for individual compensation, and 147 million Americans were affected. Hypothetically, if every affected American applied, the cash payout would reduce significantly.
Since the funds are available on a first-come, first-served basis, early applicants have a better chance of getting the intended amount.
In that light and because of the risk of future identity theft, Samtani says that claiming the credit monitoring and identity theft services could be a better option than taking the money.
If you’ve already submitted a claim for the $125 and would rather take the credit monitoring, you must request the change in writing by email ([email protected]). You can also call the settlement administrator directly to get updates on your claim at 1-833-759-2982.
Should You Opt Out of the Settlement?
Although the deadline to claim any funds is in January 2020, the deadline to opt out of the settlement is much sooner: Nov. 19, 2019.
After that date, you forfeit the right to sue Equifax.
If you have already experienced significant losses due to identity theft because of the 2017 data breach (or expect you could face future identity theft or losses), opting out of the settlement allows you to seek damages in a separate lawsuit against Equifax.
The eternal nature of leaked data makes it difficult to predict how hackers could use or access the breached information in the future. If you’re considering a separate lawsuit, it’s important to consult a lawyer.
Practice ‘Cyber Hygiene’ to Protect Your Data
The Equifax breach underscores the need for better “cyber hygiene” as Samtani calls it.
“The number one thing is being aware of what types of cyber assets you have,” he said.
By that, he means you should think about more than just your Social Security numbers and credit card information. While most people already know to guard these numbers, identity theft requires more information. And that additional information is often readily shared online — birthdays, hometowns, employment history and more. With a quick Facebook search, a hacker could fill in the few missing pieces.
Once that information is out there, it’s out there. The problem could potentially last forever.
To combat this, Samtani suggests several ways to shield yourself from identity theft and oversharing.
Data check: Do a quick Google search on your name and city, and take note on the results. Sometimes public records include full names and addresses. If this info is already available, be extra cautious of sharing additional information online.
Social media profiles: Make them private and consider what you’re sharing, even if your account is private. Often times, users willingly share personal information unaware of exactly who is reading it.
Passwords: Change passwords regularly and never use the same ones across numerous accounts.
“Be totally vigilant,” he said. “Do whatever you can to minimize what kind of information is out there.”
Adam Hardy is a staff writer at Codetic. He specializes in ways to make money that don’t involve stuffy corporate offices. Read his latest articles here, or say hi on Twitter @hardyjournalism.