The Foundation issued a 

statement  announcing the vulnerability and released

a patch on March 7, 2017.

The following day, the Department of Homeland Security contacted Equifax,

Experian, and TransUnion to notify them of the vulnerability. On March 9, 2017, an
internal email notification was sent to Equifax administrators directing them to apply
the Apache patch. Equifax's information security department ran scans on March 15,
2017 that were meant to identify systems that were vulnerable to the Apache Struts
issue, but the scans did not identify the vulnerability.

The vulnerability that caused the breach was vulnerability Apache Struts CVE-2017-
5638. Apache Struts is a popular framework for creating Java Web applications
maintained by the Apache Software Foundation. The Foundation issued
a statement  announcing the vulnerability and released a patch on March 7, 2017.

The following day, the Department of Homeland Security contacted Equifax,

Experian, and TransUnion to notify them of the vulnerability. On March 9, 2017, an
internal email notification was sent to Equifax administrators directing them to apply
the Apache patch. Equifax's information security department ran scans on March 15,
2017 that were meant to identify systems that were vulnerable to the Apache Struts
issue, but the scans did not identify the vulnerability.

The vulnerability was left unpatched until July 29, 2017 when Equifax’s information
security department discovered “suspicious network traffic” associated with its online
dispute portal and applied the Apache patch. On July 30, 2017, Equifax observed
further suspicious activity and took the web application offline. Three days letter the
company hired cybersecurity firm Mandiant to conduct a forensic investigation of the
breach. The investigation revealed that the data of an additional 2.5 million U.S.
consumers had been breached, bringing the total number of Americans affected to
approximately 145.5 million. Equifax disclosed in the same announcement that 8,000
Canadians had been impacted and stated that the forensic investigation related to
UK consumers had been completed, but did not state the amount of UK consumers
affected. A later announcement from Equifax stated that the data of 693,665 UK
citizens was breached.

Equifax Response and Criticisms

Equifax’s response to the breach raised concerns among security experts and
consumer advocates. Security expert Brian Krebs called Equifax’s public outreach
after the breach “haphazard,” ill-conceived,” and a “dumpster fire.” Equifax created a
separate domain—equifaxsecurity2017.com—for consumers to find out if their
information was compromised in the breach. This caused the site to be flagged as a
phishing threat by browsers. Developer Nick Sweeting bought the domain
securityequifax2017.com to demonstrate that Equifax’s decision to create a separate
domain made it much easier for phishing sites to imitate it and confuse people. The
Equifax Twitter account accidentally tweeted a link of the spoofed site. Consumers
who contacted Equifax in the immediate wake of the breach to freeze their credit
were given PINs that corresponded to the date and time of the freeze, making them
easier to guess.
Equifax advised people to sign up for their credit monitoring service TrustedID
Premiere, but in doing so consumers agreed to terms of use with a mandatory
arbitration clause. After public outcry that Equifax was forcing consumers to give up
their right to sue, the company issued a press release explaining that the arbitration
clause would not apply to claims arising from the security breach.

Timeline

 March 7, 2017- The Apache Software Foundation reported the vulnerability

Apache Struts CVE-2017-5638 and released a patch.
 March 8, 2017- Department of Homeland Security (US CERT) contacted Equifax,
Experian, and TransUnion to notify them of Apache Struts CVE-2017-5638.
 March 9, 2017- An internal email notification was sent to Equifax administrators
directing them to patch the Apache vulnerability.
 March 15, 2017- Equifax's information security department ran scans meant to
identify systems that were vulnerable to the Apache Struts issue, but the scans
did not identify the vulnerability.
 May 13, 2017- Hackers began to access personal identifying information.
 July 29, 2017- Equifax discovered “suspicious network traffic” associated with its
consumer dispute website. Its information security department applied the
Apache patch.
 July 30, 2017- Equifax’s information security department observed further
suspicious activity and took the web application offline.
 July 31, 2017- Equifax’s Chief Information Officer notified CEO Richard Smith of
the suspicious activity.
 August 1-2, 2017- Three senior Equifax executives sold stock worth almost $1.8
million.
 August 2, 2017- Equifax hired cybersecurity firm Mandiant to conduct a forensic
investigation of the breach.
 September 7, 2017- Equifax announced the security breach to the public on
Twitter.
 September 11, 2017- Twenty U.S. Senators wrote Equifax a letter asking the
company to clarify its position on the Consumer Financial Protection Bureau’s
rule limiting use of forced arbitration clauses. Equifax had previously lobbied for
the rule’s repeal.
 September 13, 2017- Senator Mark Warner (D-VA) wrote a letter to FTC Acting
Chairwoman Maureen Ohlhausen asking her to open an investigation into the
breach.
 September 14, 2017- Representative Lamar Smith and Representative Trey
Gowdy sent Equifax CEO a letter notifying him that the House Committee on
Oversight and Government reform and the House Committee on Science, Space,
and Technology are conducting an investigation into the breach and requesting
relevant business records.
 September 15, 2017- Two Equifax executives resigned.
 September 15, 2017- Equifax issued a press release confirming that the
vulnerability was Apache Struts CVE-2017-5638.
 September 18, 2017- New York Governor Andrew Cuomo announced proposal to
apply the state’s banking regulations to credit reporting agencies.
 September 26, 2017- Equifax CEO Richard Smith retired and Board of Directors
appointed Paulino do Regos Barros Jr. as Interim CEO.
  September 27, 2017- Interim CEO Paulino do Regos Barros Jr. published a
public apology on behalf of Equifax, and announced a new free service allowing
people to lock and unlock their credit.
 October 3, 2017- IRS awarded multimillion-dollar fraud-prevention contract to
Equifax.
 October 12, 2017- IRS temporarily suspended its contract with Equifax.
 October 12, 2017-Security researchers discovered that Equifax’s website
contains false Adobe Flash download links that trick users into downloading
malware that displays unwanted ads online.
 January 31, 2018- Equifax launches its free “Lock & Alert” product to help
consumers better control access to their credit report.
 February 2018- Sen. Elizabeth Warren (D-MA) released a report detailing the
findings of her office’s investigation of the breach.
 March 1, 2018- Equifax announced that an additional 2.4 million U.S. consumers
had their names and partial driver’s license information stolen, bringing the total
to about 148 million people impacted by the breach.
 March 14, 2018- Senate passes the Economic Growth, Regulatory Relief, and
Consumer Protection Act (S. 2155) 67-31. The bill would give consumers free
credit freezes but would also preempt states from passing stronger laws.
 March 28, 2018- Equifax names Mark Begor as CEO.

How did Equifax handle the breach?

At any rate, once the breach was publicized, Equifax's immediate response did
not win many plaudits. Among their stumbles  was setting up a separate dedicated
domain, equifaxsecurity2017.com, to host the site with information and resources
for those potentially affected. These sorts of lookalike domains are often used
by phishing scams, so asking customers to trust this one was a monumental
failure in infosec procedure. Worse, on multiple occasions official Equifax social
media accounts erroneously directed people to securityequifax2017.com instead;
fortunately, the person who had snapped up that URL used it for good, directing
the 200,000 (!) visitors it received to the correct site .

Meanwhile, the real equifaxsecurity2017.com breach site was judged

insecure by numerous observers, and may have just been telling
everyone that they were affected by the breach whether they really were
or not. Language on the site (later retracted by Equifax) implied that just
by checking to see if you were affected meant that you were giving up
your right to sue over it . And in the end, if you were affected, you were
directed to enroll in an Equifax ID protection service — for free, but how
much do you trust the company at this point?
How does the Equifax settlement work?

The Equifax settlement dangles the prospect that you might get a check for your
troubles, but there are some catches. The settlement mandates that Equifax
compensate anyone affected by the breach with credit monitoring services;
Equifax wants you to sign up for their own service, of course, and while they will
also give you a $125 check to go buy those services from somewhere else, you
have to show that you do have alternate coverage to get the money (though you
could sign up for a free service).

More cash is available if you've actually lost money from identity theft or
spent significant amounts of time dealing with the fallout, but here, too,
documentation is required. And that $125 is just a maximum; it almost
certainly will go down if too many people request checks .

After Becoming Aware of

the Attack, Equifax Took

Steps to Block the

Attackers

Equifax’s assessment of the data breach began with actions it took to

identify that it was being attacked as well as subsequent actions to block

the intrusion. Equifax officials stated that, on July 29, 2017—

approximately 2.5 months after the attackers began extracting sensitive

information on May 13, 2017—security personnel conducting routine

checks of the operating status and configuration of IT systems detected

the intrusion on the online dispute portal.

As reported by Equifax, a network administrator conducting routine

checks of the operating status and configuration of IT systems discovered

that a misconfigured piece of equipment allowed attackers to

communicate with compromised servers and steal data without detection.

Specifically, while Equifax had installed a device to inspect network traffic

for evidence of malicious activity, a misconfiguration allowed encrypted

traffic to pass through the network without being inspected. According to

Equifax officials, the misconfiguration was due to an expired digital

certificate.26 The certificate had expired about 10 months before the

breach occurred, meaning that encrypted traffic was not being inspected

throughout that period. As a result, during that period, the attacker was

able to run commands and remove stolen data over an encrypted

connection without detection.

Equifax officials stated that, after the misconfiguration was corrected by

updating the expired digital certificate and the inspection of network traffic

had restarted, the administrator recognized signs of an intrusion, such as

system commands being executed in ways that were not part of normal

operations. Equifax then blocked several Internet addresses from which

the requests were being executed to try to stop the attack.

Equifax reported that, on July 30, 2017, after its information security

department observed additional suspicious activity continuing to occur,

the online dispute portal was taken offline. The next day, the Chief

Security Officer, in coordination with internal stakeholders, informed the

Chief Executive Officer of the attack on the portal.

Equifax Reported Taking

Steps to Strengthen its

Cybersecurity Controls

According to Equifax’s public filings, including its annual 10-K filing

submitted to the Securities and Exchange Commission in March 2018

and its notice of 2018 annual meeting and proxy statement, following the

2017 incident, Equifax undertook a variety of remediation efforts to

address the factors identified in their investigation.28 Equifax officials

responsible for coordinating the response to the incident stated that, once

the company identified how the attackers were able to gain unauthorized

access to company systems and remove sensitive data, it took measures

to address the internal factors that led to the breach. The measures were

intended to better protect the company’s infrastructure from future

disruptions, compromises, or failures. We did not independently assess

Equifax’s efforts to address the identified factors.

Specifically, Equifax officials stated that system-level remediation

measures were implemented to address the factors that led to the breach.

For example, to work toward addressing concerns about identifying

vulnerable servers, Equifax reportedly is implementing a new

management process to identify and patch software vulnerabilities and

confirm that vulnerabilities have been addressed. Also, to help ensure

that detection of malicious activity is not hindered in the future, Equifax

officials said they have developed new policies to protect data and

applications and implemented new tools for continuous monitoring of

network traffic. Further, in an effort to improve segmentation between

devices that do not need to communicate, Equifax officials stated that

they have implemented additional controls to monitor communications at

the external boundary of the company’s networks and added restrictions

on traffic between internal servers. Finally, to help address data

governance issues, the officials said they were implementing a new

security controls framework and tighter controls for accessing specific

systems, applications, and networks.

In addition to these measures, Equifax stated that they implemented a

new endpoint security tool to detect misconfigurations, evaluate potential

indications of compromise, and automatically notify system administrators

of identified vulnerabilities. Further, Equifax officials reported that the

company has implemented a new governance structure to regularly

communicate risk awareness to Equifax’s board of directors and senior

management. The new structure requires the company’s Chief

Information Security Officer to report directly to the Chief Executive

Officer.29 Officials said this should allow for greater visibility of

cybersecurity risks at top management levels.

Equifax Reported Taking

Steps to Identify Affected

Individuals

Following the shutdown of its online dispute portal, Equifax took steps to

identify what data had been lost and the number of individuals affected so

that it could fulfill its responsibility to notify affected individuals.30 To

develop its estimate of the number of individuals affected by the data

breach, Equifax stated that it recreated the attackers’ database queries

on a separate system that could run the queries at high speed, allowing
Equifax to generate its estimate in a relatively short period of time.

Equifax staff then worked to reconstruct queries against the data tables to

identify which queries had successfully extracted data and which

individuals were associated with that data.

However, as is commonly experienced with large breaches, Equifax faced

challenges in determining exactly how many individuals were affected.

According to Equifax officials, much of the stolen data consisted of

incomplete records without full sets of identifying information. Some data

sets included information that could be matched to more than one known

individual. Subsequently, Equifax officials stated that they compared

these data sets with information in the company’s internal databases that

were not impacted by the data breach to make matches with known

identities.

For example, Equifax took partial records that did not include all fields

and ran an analysis to determine whether Social Security numbers and

names included in the records could be matched with those in Equifax’s

core credit reporting databases. In addition, Equifax performed analyses

to remove duplicates and to determine whether a person could be linked

to incomplete records based on Social Security numbers. After Equifax

completed its initial analysis of the datasets, it estimated that

approximately 143 million U.S. consumers had been affected by the

breach.

Moreover, Equifax’s initial analysis, reported on September 7, 2017,

indicated that multiple types of PII had been compromised, including

individuals’ names, Social Security numbers, birth dates, addresses, and

driver’s license numbers. Because many of the records were incomplete,

not all of the types of PII had been compromised for all affected

individuals.

In addition, Equifax determined that credit card numbers for

approximately 209,000 consumers and certain dispute documents, which

had included PII for approximately 182,000 consumers, had been

accessed. These documents contained PII associated with specific items

from dispute cases that were submitted to Equifax as evidence supporting

disputes they filed about the accuracy of their credit reports, such as

utility bills.

Equifax made two revisions over time to its estimate of affected

individuals. First, in late September 2017, Equifax determined that it had

incorrectly concluded that one of the attackers’ queries had not returned

any data. After additional analysis, including a determination that the

query had, in fact, allowed the attackers to access PII from approximately

2.5 million additional U.S. consumers, Equifax revised the number of

affected individuals from 143 million to 145.5 million on October 2, 2017.

Second, on March 1, 2018, Equifax stated that it had identified

approximately 2.4 million U.S. consumers whose names and partial

driver’s license information were stolen. The newly identified individuals

were based on names and partial driver’s license information contained in

a data table that Equifax had not previously identified as including

individuals compromised in the breach. According to Equifax officials,

Equifax’s original investigation had not identified these individuals

because their names and partial driver’s license information were not

stolen together with their Social Security numbers.

To identify as many potentially affected individuals as possible, Equifax

contracted with a third-party data source that had access to a driver’s

license database and mapped the partial driver’s licenses to an Equifax

database containing Social Security numbers. According to Equifax

officials, some of the individuals within this group of 2.4 million were

already included in the previous total of 145.5 million affected individuals,

while others were not. As of August 2018, Equifax had not determined

Equifax Notified Affected

Individuals and Offered

Monitoring Services

On September 7, 2017, after Equifax had determined the extent of the

breach and developed a remediation plan for potentially impacted

consumers, the company provided written notification to all U.S. state

attorneys general regarding the approximate number of potentially

affected residents in each state and its plans for consumer remediation.

The notification included steps individuals could take to determine if they

were affected by the breach and to help protect against misuse of their

personal information.32 The company also issued a press release to the

public providing information about the breach and the types of PII that

had been compromised.

Further, the press release issued on September 7, 2017, stated that the

company had set up a dedicated website to help individuals determine if

their information might have been stolen in the breach. In addition,

Equifax improved the search tool it had developed to help U.S.

consumers determine if they were impacted and expanded its call center

operations. However, the website experienced several technical issues,

including excessive downtime and inaccurate data. Equifax officials

acknowledged these shortcomings and said they took measures to

address them, including improving the stability of the website and

accuracy of the information it provided.

Additionally, Equifax reported that it would provide several services to all

U.S. consumers, regardless of whether their information had been

compromised, free of charge for one year. Those services included credit

monitoring, individual copies of Equifax credit reports, notification of

changes to credit reports, a credit “lock” allowing individuals to prevent

third-parties from accessing their Equifax credit report,33 identity theft

insurance covering certain expenses related to the process of recovering

from identity theft, and a Social Security number monitoring service that

would scan suspicious websites for an individual’s Social Security

number.

These services were offered to consumers from September 7, 2017, until

January 31, 2018, when Equifax announced a new service called “Lock &
Alert.” This new service allows consumers to use their smartphone or

computer to lock and unlock their Equifax credit report. Equifax

announced that it was making this service available to all consumers at

no cost.

On September 15, Equifax released a statement announcing the immediate departures and
replacements of its Chief Information Officer and Chief Security Officer. [10][43] The statement
included bullet-point details of the intrusion, its potential consequences for consumers, and
the company's response. The company said had hired cybersecurity firm Mandiant on
August 2 to investigate the intrusion internally. The statement did not specify when U.S.
government authorities were notified of the breach, although it did assert "the company
continues to work closely with the FBI in its investigation".

Equifax agreed to pay $700 million to settle federal and state investigations into
how it handled a massive data breach that affected nearly 150 million people, about
56% of Americans.

Consumers can claim additional services from Equifax

In addition to the cash compensation for those who can prove they directly lost
time or money, all affected consumers will have the opportunity to receive at least
four years of credit-monitoring services through Experian and up to an additional
six more years of monitoring with Equifax. If you already have credit monitoring
in place, you can request a $125 cash payment.

Starting next year, you can request up to six additional free credit reports per year
from Equifax through 2027. This is in addition to the one free credit report from
each credit bureau — Equifax, Experian and Transunion — that all Americans can
request annually.

Additionally, the settlement allows for seven years of free assisted identity
restoration service to help you fix any fraud or identity theft issues caused by the
breach.

"This company's ineptitude, negligence, and lax security standards endangered the
identities of half the U.S. population," New York Attorney General Letitia
James said in a statement Monday. "Now it's time for the company to do what's
right and not only pay restitution to the millions of victims of their data breach, but
also provide every American who had their highly sensitive information accessed
with the tools they need to battle identity theft in the future."

Specific Details of Incident:

  On July 29, 2017, Equifax's Security team observed suspicious network traffic associated with
its U.S. online dispute portal web application. In response, the Security team investigated and
blocked the suspicious traffic that was identified.
 The Security team continued to monitor network traffic and observed additional suspicious activity on
July 30, 2017. In response, the company took offline the affected web application that day.
 The company's internal review of the incident continued. Upon discovering a vulnerability in the Apache
Struts web application framework as the initial attack vector, Equifax patched the affected web
application before bringing it back online.
 On August 2, 2017, Equifax contacted a leading, independent cybersecurity firm, Mandiant, to assist in
conducting a privileged, comprehensive forensic review to determine the scope of the intrusion,
including the specific data impacted.
 Over several weeks, Mandiant analyzed available forensic data to identify unauthorized activity on the
network.
 The incident potentially impacts personal information relating to 143 million U.S. consumers – primarily
names, Social Security numbers, birth dates, addresses and, in some instances, driver's license
numbers.
o In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute
documents with personal identifying information for approximately 182,000 U.S. consumers, were
accessed.
o Equifax also identified unauthorized access to limited personal information for certain U.K. and
Canadian residents and is working with regulators in those countries.
 With respect to the company's security posture, Equifax has taken short-term remediation steps, and
Equifax continues to implement and accelerate long-term security improvements.
Equifax's most important post-breach initiatives included:

 Improving systems monitoring;

 Enhancing the security team’s communication with the C-suite;
 Changing the corporate culture by getting employees to recognize the importance of
cybersecurity.

Improving Systems Monitoring

Addressing systems monitoring, Farshchi says: "We've instituted this concept of
assurance so we can consistently and continuously in real-time monitor not only the
coverage but the effectiveness of every single one of our controls and cloud space.
And so if someone does configure a firewall or whatever, we really see it - we can
even proactively prevent them from being able to do that.”

Systems monitoring is a priority because the data breach stemmed from Equifax's
security team failing to patch a vulnerability in Apache Struts even after it had been
warned and conducted a search. This allowed threat actors to have access to the
company’s network for several months.

Facilitating Better Communication

The second initiative that Farshchi is pursuing focuses on being able to effectively
communicate with the executive team, board of directors and other non-technical
staffers on cybersecurity issues facing the company.

"We've established a framework to be able to more effectively communicate

technical security risks in a businesslike fashion, tying into things like attack vectors,"
Farshchi says.
The CISO believes the framework Equifax has developed to accomplish this task
works so well that he’s making it open source and freely available to others.

Changing the Culture

In the wake of the breach, cultural issues have been the most difficult challenge for
Equifax to overcome, Farshchi says.

For example, to determine whether training is working, the company issues a

scorecard to every employee - from the CEO on down - each month that shows how
well they performed, from a cybersecurity perspective.

"We've applied educational best practices so that they get immediate feedback in
terms of what they did right and what they did wrong," Farshchi says. "We put a
positive spin on it; we try not to be negative and the downer all the time." The
scorecard supplies immediate feedback on what a staff member should do and how
they can do better.

Equifax was also woefully underprepared  to handle the fallout, botching

both the public disclosure and its effort to make resources available to
impacted people. In the months since, the credit bureau has remained
fairly quiet amidst class action suits, congressional scrutiny, a Federal
Trade Commission probe, and a wave of new state regulations designed
to ensure that Equifax substantially improves its security defenses. As
part of this, process the company hired a new chief information security
officer, Jamil Farshchi, in February. In the year since the breach, the
company has invested $200 million on data security infrastructure. And
Farshchi says Equifax has given him the resources he needs to build a
stellar security program
Another primary priority has been strengthening access control
protections and identity management across the company. By keeping
systems more siloed, Equifax can minimize the free-for-all of unneeded
access that adds exposure and risk. Additionally, Farshchi says that the
company has prioritized improved data protection across its entire
infrastructure, coupled with better detection and response programs to
handle new problems more gracefully if and when they emerge. Farshchi
says that the company is also working on a major cultural shift to
incorporate both preventative measures and response training across
every department. Equifax is also already working to turn these
improvements outward to help others—and perhaps tout its transformation
in the process. Our goal is to create a world-class security program at
Equifax and to share what we’ve learned from our own experiences in
order to ultimately help our industry better protect and defend against
cyberattacks," Equifax CEO Mark Begor wrote in comments to WIRED.
"Data security is a long-term battle that will require continued innovation
and attention. It will always be a top priority for our company."

Farshchi pointed to 3 key areas:

 Improving systems monitoring

 Enhancing the security team’s communication with the C-suite
 Changing corporate culture by getting employees to recognize the importance of
cybersecurity
 The breach of the credit monitoring firm Equifax , which exposed
extensive personal data for 143 million people, is the worst corporate
data breach to date. But, incredibly, the mistakes and the superlatives
don’t end there. Three weeks since the company first publicly
disclosed the situation, a steady stream of gaffes and revelations
paint a picture of Equifax's deeply lacking response to catastrophe.

 Equifax's bungles kicked off quite literally on day one, when the
company directed potential victims to a separate domain—
equifaxsecurity2017.com—instead of simply building pages to
handle the breach off of its main, trusted website, equifax.com.
Observers quickly found bugs, some of them serious, in that breach-
response site. All the while, Equifax asked people to trust the
security of the site, and to submit the last six digits of their Social
Security number as a way of checking whether their information had
been potentially compromised in the breach.
It’s going to be more difficult to convince people that they can now
safeguard data, because Equifax has undermined their credibility from the
way they’ve responded. They made the situation worse."
In the weeks since Equifax disclosed the breach, the company's official
Twitter account has mistakenly tweeted a phishing link four times, instead
of the company's actual breach response page. Lucky for Equifax, the
page isn't actually malicious. Developer Nick Sweeting set up
securityequifax2017.com—versus the legitimate equifaxsecurity2017.com
—to show how easy the site is to spoof, and how ill-advised it was for
Equifax to break it away from its main corporate domain. But if it hadn't
been a proof-of-conept, the phish Equifax inadvertently promoted could
have done a lot of harm. Sweeting says the fake site has had roughly
200,000 page loads.
The accumulation of missteps, slow disclosure, and problematic public
response with so many millions of innocent consumers potentially affected
deeply troubles security practitioners. "These are all indicators of a
company that had a horrible security culture," says Tinfoil Security's
Borohovski. "Unfortunately, the only word for it is negligence." And the
more recent mistakes join a list of other revelations that Equifax had a
disorganized approach to security, and a naiveté about the possibility of a
breach. The fact that attackers got into Equifax's systems through a
known vulnerability with a patch available  galls security analysts. But the
company also acknowledged that it knew about the patch when it was first
released, and had actually attempted to apply it to all its systems. This
inadequate effort hints at the truly haphazard nature of Equifax's
operation. There’s no question a company like Equifax would be targeted
all the time [by hackers] and that's hard, but all of this really speaks to
poor security practices and a lackadaisical response," Casaba Security's
Glassberg says.

Equifax Data Breach Settlement: What You Should

Know
Benefits Available To You
If you were affected by the breach, you may be eligible for benefits.

1. Free Credit Monitoring or Cash Payment

You can get at least 4 years of free credit monitoring of your credit report at all three credit
bureaus (Equifax, Experian, and TransUnion). On top of that, you can get up to 6 more years
of free credit monitoring of your Equifax credit report. That’s a total of 10 years of free credit
monitoring. (Minors affected by the breach are eligible for even more free credit monitoring.)

If you have credit monitoring that will continue for at least 6 months and you decide not to
enroll in the free credit monitoring offered in the settlement, you may be eligible for a cash
payment. The amount you’d get will depend on the number of claims filed.

2. Reimbursement for Your Time and Other Cash Payments

You may be eligible for reimbursement and cash payments up to $20,000 for:

 time you spent protecting your identity or recovering from identity theft, up to

20 hours at $25 per hour
 money you spent protecting your identity or recovering from identity theft,
like the cost of freezing or unfreezing your credit report or unauthorized
charges to your accounts
 up to 25% of the cost of Equifax credit monitoring or identity protection
products you bought between September 7, 2016 and September 7, 2017
3. Free Identity Restoration Services
You are eligible for free identity restoration services for at least 7 years that you can use if
someone steals your identity or you experience fraud.
The claims process will start after court approval
 Important Update:
The Settlement received final approval from the Court on January 13, 2020.  You
may review the Final Approval Order and Final Order and Judgment by
clicking here.  

The Court gave final approval to the Settlement and overruled all objections on
January 13, 2020.  However, some objectors have now appealed the Court’s decision to
approve the Settlement.  

The Appellate Court recently entered an order providing that oral argument on the
objectors’ appeals will take place in April 2021.  Unfortunately, we do not know when
the appellate court will issue a ruling on the settlement after hearing oral argument.  By
order of the Court, the Settlement cannot become final until the appeals of the
remaining six objectors are resolved.

In September of 2017, Equifax announced it experienced a data breach, which

impacted the personal information of approximately 147 million people.  A federal
court approved a class action Settlement that resolves lawsuits brought by
consumers after the data breach.  Equifax denied any wrongdoing and no judgment
or finding of wrongdoing was made.

If you are a class member, the deadline to file Initial Claims Period claim(s) for free
credit monitoring or up to $125 cash payment and other cash reimbursement passed
on January 22, 2020. 

Please note that no Settlement benefits will be distributed or available until the Settlement
becomes effective. The Settlement will become effective after all appeals have been
resolved in favor of the Settlement.  If you requested a cash benefit during the Initial
Claims Period, the amount you receive may be significantly reduced depending on
how many valid claims are submitted by other class members. Based on the number
of potentially valid claims that have been submitted to date, payments for time spent
and alternative compensation of up to $125 likely will be substantially lowered and
will be distributed on a proportional basis if the Settlement becomes effective.
Depending on the number of valid claims filed, the amount you receive may be a
small percentage of your initial claim.

Extended Claims Period Claims

If you were impacted by the Equifax data breach, you may seek reimbursement for
valid Out of Pocket losses or Time Spent (excluding losses of money and time
associated with freezing or unfreezing credit reports or purchasing credit monitoring
or identity theft protection) incurred during the Extended Claims Period if you have
not received reimbursement for the claimed loss through other means.

To be eligible, your claim for Out-of-Pocket Losses or Time Spent must

occur between January 23, 2020 and January 22, 2024 (the “Extended Claims Period”).
During the Extended Claims Period, impacted class members may submit claim(s) for
cash reimbursement. You may be eligible for the following reimbursement cash
payments for:

 Time Spent during the Extended Claims Period recovering from fraud, identity
theft, or other misuse of your personal information caused by the data breach
up to 20 total hours at $25 per hour.

 Out-of-Pocket Losses during the Extended Claims Period resulting from the

data breach up to $20,000.

In order to submit a claim for Time Spent or Out-of-Pocket Losses during the
Extended Claims Period, you must certify that you have not received reimbursement
for the claimed loss through other means.

Free Identity Restoration Services:  When the Settlement becomes effective, you will be
eligible for at least 7 years of free assisted identity restoration services to help you remedy
the effects of identity theft and fraud.
 

Your Legal Rights And Options In

Deadline
This Settlement

File a claim for Out-of-Pocket January 22, 2020

Losses or Time Spent (For current losses
and
The deadline to file a claim for time) (PASSED)
Out-of-Pocket Losses or Time
Spent that occurred through January 22, 2024
January 22, 2020 has passed. (For future losses
and time)
Submit a claim to receive
reimbursement for Out-of-
Pocket Losses and/or Time
Spent. You may claim Out-of-
Pocket Losses, Time Spent,
and Credit Monitoring Services
under the
Settlement depending on
whether you file claim(s) during
the Initial or Extended Claims
Period.

You may seek reimbursement

for valid Out-of-Pocket Losses
or Time Spent (excluding
losses of money and time
associated with freezing or
unfreezing credit reports or
purchasing credit monitoring or
identity theft protection)
incurred during the Extended
Claims Period (between
January 23, 2020 and January
22, 2024) if you have not
received reimbursement for the
claimed loss through other
means.

For more detailed information,

see FAQs 7 and 8.

File a claim for Credit Monitoring January 22,

Services or Alternative 2020 (PASSED)
Reimbursement Compensation
Submit a claim to receive the Free
Credit Monitoring Services offered
under the Settlement, or
Alternative Reimbursement
Compensation. For more detailed
information, see FAQs 8 and 10.

File a claim for Equifax January 22,

Subscription Product 2020 (PASSED)
Reimbursement
Submit a claim to receive
reimbursement for Equifax
Subscription Product
Reimbursements.

Access to Identity Restoration Services will be

Services available for at
You may access Identity least 7 years
Restoration Services after the beginning after the
Settlement becomes effective Settlement
regardless of whether or not you becomes effective.
make a claim under the
Settlement. For more detailed
information, see FAQ 11.

Exclude yourself from the November 19,

Settlement 2019 (PASSED)
The deadline to exclude yourself
from the Settlement has passed. 
Object or comment on the November 19,
Settlement 2019 (PASSED)
The deadline to object to the
Settlement has passed. 

Do nothing  
If you do nothing, you can still
access Identity Restoration
Services, but will not be entitled to
any other benefits provided under
the Settlement. If the Settlement
becomes effective, you will give
up your rights to sue Equifax
separately for claims relating to
the Data Breach or to continue to
pursue any such claims you have
already filed.