Equifax breach response criticized for waits, lawsuit waiver

Last Updated Sep 8, 2017 12:38 PM EDT

The 143 million Americans whose data was impacted by Equifax's massive data breach may not be feeling reassured by the company's response.

Equifax is offering a free credit monitoring service for the 143 million Americans whose data was impacted by their breach. Unfortunately, Equifax is also telling customers they must wait several days to enroll for the service. 

The terms of use for the credit-monitoring service, which is called TrustedID Premier, also appears to require consumers sign away their right to sue Equifax. By waiving away their legal rights, consumers instead agree to mandatory arbitration, a tactic that has come under fire by consumer rights advocates as "rip-off clauses" because they bar consumers from banning together to sue in a class action.

"@Equifax website tells me I'm part of the hack, but I can't enroll for TrustedID monitoring until next Wed? That's pathetic!  What a joke!" one consumer wrote on Twitter. 

Equifax didn't immediately return a request for comment. 

"They had a lot of time to get ready for this," said Liz Weston, a personal finance expert with NerdWallet. "They still have a long way to go."

This reporter entered her information into Equifax's website on Friday morning and was told her data was likely impacted by the hack. The site informed her that she couldn't sign up for TrustedID Premier until Sept. 11, or three days later. 

As many consumers suspect, hackers don't wait around for them to sign up for credit-monitoring before using their data. Hackers and criminals appear to have had the data for months -- Equifax learned about the breach on July 29, but didn't disclose the hack publicly until Thursday

Equifax appeared to have updated its terms of service on Friday that allows consumers to opt-out of the mandatory arbitration agreement for TrustedID Premier, The Washington Post reported. While that is a step forward, it puts the onus on consumers to read through the fine print and take the time to respond to Equifax. Consumers who want to opt-out must write to Equifax within 30 days with their name, address, Equifax user ID and "a clear statement that you do not wish to resolve disputes with Equifax through arbitration."

Some consumers reported difficulty Friday getting onto Equifax's site to check whether they had been hacked.

While the hack is smaller than Yahoo's consumer-data breaches in 2013 and 2014, the impact of Equifax's failure is potentially much larger because of the highly sensitive data that credit-reporting agencies collect. Given the seriousness of the matter, some critics are calling Equifax's response "amateur" and "problematic."

For instance, the site set up by Equifax where consumers could check whether they had been hacked was set up on a WordPress site and the domain name wasn't registered to Equifax, according to Ars Technica. Cisco's Open DNS service was reporting the site as a possible phishing attack, according to Krebs on Security, which covers cyber-security issues. 

TrustedID Premier is operated by Equifax, which is also rubbing consumers the wrong way. The company is providing one year of free service for those who were impacted, but consumers could face an increased risk of identity theft or other problems for years to come.

"The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers," noted Brian Krebs, the founder of Krebs on Security. 

Meanwhile, investors are joining consumers in expressing their disapproval of Equifax. The company's shares fell nearly 13 percent in early trading, lopping more than $2 billion off Equifax's market value.