- Equifax set up a site where users can check if their data has been compromised as part of a hack that put 143 million people’s personal information in jeopardy. There have been issues with the site, with some users not getting a clear response and others questioning its validity. The Equifax site also includes an arbitration clause, which means that people who use the site waive their rights to a class-action lawsuit. At least one lawsuit has been filed against the company regarding the breach.
A site Equifax set up to help users check to see whether they were among the 143 million people whose personal information may have been compromised isn’t working for many people.
Equifax, a company that provides credit scores, on Thursday said the details potentially accessed by hackers from mid-May to July included names, Social Security numbers, some credit-card numbers, and personal documents.
To allow people to check whether they may have been part of the data breach, Equifax set up a website it linked to in a press release that asked for a person’s last name and the last six digits of his or her nine-digit Social Security number. That requirement alone drew some suspicions.
Equifax: We may have exposed your SSN
Also Equifax: Give us your SSN and we'll tell you if we did
Also Equifax: We actually won't tell you
— Jessie Opoien (@jessieopie) September 8, 2017
Beyond that, more than a dozen people told Business Insider they had trouble getting the site to work or to provide the answers they were looking for.
Also, their captchas don't work & apparently nobody at Equifax knows what a spatula is. pic.twitter.com/ooZEqVjaHa
— The Sassiest Semite (@LittleMissLizz) September 7, 2017
Equifax said in a statement Friday night that the issue with the site where users weren’t getting a response to whether their information was compromised has been resolved.
On Friday morning, here’s what the response screen looked like after the information’s been submitted. The site tells you either that “we believe that your personal information may have been impacted by this incident” or that it doesn’t think you were part of the breach. Some users said entering a fake last name and Social Security number sometimes still led to the message saying they may have been affected.
When users click on enroll, they hit a screen giving them an enrollment date with a note that they will not receive additional reminders.
Beyond that, users weren’t given much information, leading some to question the validity of the website and the group that owns it.
Looks pretty fake to me pic.twitter.com/EUsyUYzG9s
— chocolatem0nkey (@chocolatem0nkey) September 7, 2017
Others have pointed out the arbitration clause on the company’s website, which means that people who use the site waive their rights to a class-action lawsuit. At least one lawsuit has been filed against the company regarding the breach.
PSA: If you check Equifax's site to see if your data was stolen, you *waive your rights* to sue Equifax or be part of a class action suit. pic.twitter.com/p4AlmmLQ3r
— Zack Whittaker (@zackwhittaker) September 8, 2017
Equifax added a clause to its terms of service allowing people to opt out, but it requires mailing information to the company.
Here’s the section that addresses it:
“Right to Opt-Out of this Arbitration Provision.IF YOU DO NOT WISH TO BE BOUND BY THE ARBITRATION PROVISION, YOU HAVE THE RIGHT TO EXCLUDE YOURSELF. Opting out of the arbitration provision will have no adverse effect on your relationship with Equifax or the delivery of Products to You by Equifax. In order to exclude Yourself from the arbitration provision, You must notify Equifax in writing within 30 days of the date that You first accept this Agreement on the Site (for Products purchased from Equifax on the Site). If You purchased Your Product other than on the Site, and thus this Agreement was mailed, emailed or otherwise delivered to You, then You must notify Equifax in writing within 30 days of the date that You receive this Agreement. To be effective, timely written notice of opt out must be delivered to Equifax Consumer Services LLC, Attn.: Arbitration Opt-Out, P.O. Box 105496, Atlanta, GA 30348, and must include Your name, address, and Equifax User ID, as well as a clear statement that You do not wish to resolve disputes with Equifax through arbitration. If You have previously notified Equifax that You wish to opt-out of arbitration, You are not required to do so again. Any opt-out request postmarked after the opt-out deadline or that fails to satisfy the other requirements above will not be valid, and You must pursue your Claim in arbitration or small claims court.”
Equifax said in a statement Friday night that the arbitration waiver – written in the site’s terms of service – didn’t apply to the cybersecurity attack.