Equifax, a major consumer credit reporting agency, announced Tuesday that it had been the victim of a gigantic hack. Personal information belonging to 143 million people was stolen, including their names, social security numbers, birth dates, and home addresses. Credit card information belonging to 209,000 individuals was also taken. The hack is believed to have occurred sometime in May. Equifax has set up an extensive website for consumers to use in order to learn whether they have been affected by the breach, but it doesn't appear to work as intended. Using the site alone, it's difficult to know whether your data has been compromised.
When I used Equifax's portal that's supposed to inform me whether or not my personal information has been stolen, I got this vague message in return:
Apparently, I am supposed to mark my calendar to come back to Equifax's website in a week, in order to enroll in TrustedID Premier, a complimentary identity theft protection and credit file monitoring service that the company is offering. Meanwhile I have no idea whether my social security number is floating out there on some hacker's spreadsheet, and I don't know what Equifax is doing with the last six digits of my social security number.
Other members of Motherboard tried the website themselves, and some were greeted with a screen which informed them that their data was in fact safe. Motherboard's Editor-in-Chief Jason Koebler was initially told that his data was not compromised, but when he used the system again, he too was given a date to check back. He is unsure if he is or is not enrolled in Equifax's TrustedID Premier program. He does know though, that he forked over the last six digits of his this social security number.
Equifax's FAQ page is unhelpful. The main question one likely has at this moment is "has my data been compromised?" The answer to that question remains elusive. Equifax's custom site for the hack reads "at the beginning of this process, you will find out whether your personal information may have been impacted by this incident," which does not appear to be true. You're given a date to come back to Equifax's website, but you're not definitively told whether or not your data was affected.
When reached by Motherboard, Equifax declined to give us more information. But what appears to be happening—or what we think is happening—is that if you are not affected by the hack, Equifax says you were not impacted. If you were affected by the hack (we think), Equifax tells you to come back later to finish enrolling at a later date. Of course, unless you're comparing-and-contrasting your experience with other people, you'd have no way of knowing this. All of this is made more confusing by the fact that if you were not affected by the hack and you click "Enroll," you are taken to a similar page as those who seemingly were affected by the hack.
To make matters worse, there appears to be three different Equifax websites where you can find information about the hack. There's trustedidpremier.com/eligibility/, where you can receive a date to find out whether you've been hacked and enroll in identity theft protection, called TrustedID Premier, there's Equifax's official website, Equifax.com, as well as a custom domain EquifaxSecurity2017.com, that was created to inform the public about the hack. The different URLs alone are enough to confuse; after news of the hack broke, multiple VICE employees approached Motherboard employees, asking if this was a phishing attempt designed to steal their data, because of the various URLs involved.
"It's not good incident response for them at all, and that's not what transparent behavior looks like at all," Jessy Irwin, an independent cybersecurity researcher told Motherboard. "They need to have a check status page. It's the most hostile decision they could have made, and a very bad overture to potentially affected consumers."
"Social security numbers, birthdates and addresses are how we sign up for credit cards, how we get insurance, how we enroll for social services. These major breaches enable fraudulent behavior to impact all of those services, including the most vulnerable (the social services), and they hurt consumers as well as our economy," she explained.
"The check status page isn't a way for consumers to get information-- it is functioning as a landing page for product enrollment that does not address a consumer's primary concerns," Irwin went on.
When I reached out to Equifax to ask about their response to the hack has the potential to confuse consumers, a representative said "We have no further information to contribute at this point other than what is in the news release."
Samantha Cole contributed reporting.