7 ON YOUR SIDE: Problems with signing up for Equifax hack protection

This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

Monday marks the first day people can sign up for free credit monitoring in the wake of last week’s Equifax data breach. A reported 143 million Americans had personal data stolen, from social security numbers, to birthdates, and driver’s license numbers.

Until this weekend, signing up for Equifax’s free credit monitoring service were compelled to agree to an arbitration clause, taking away their potential rights to sue Equifax.

"The arbitration clause and class action waiver included in the TrustedID Premier Terms of Use applies to the free credit file monitoring and identity theft protection products, and not the cybersecurity incident," said Equifax spokesperson Francesca De Giolami Friday afternoon.

Virginia Attorney General Mark Herring and other attorneys general opposed arbitration clauses for financial services.

“What we need to be doing is protecting consumers, not looking the other way and allowing finance companies to force consumers either unknowingly or unfairly signing away any legal rights they have,” said Herring.

Viewers alerted 7 On Your Side to a potential vulnerability to the website Equifax used to sign people up for free credit monitoring. 7 On Your Side tested this. asks people to type in their last name and the last six digits of their social security number. But typing in anything – including “test” and “123456” as the last six digits still results in a message from Equifax claiming, “Based on the information provided, we believe that your personal information may have been impacted by this incident.”

“Do I really trust an organization to protect my identity which has just lost my identity? I'd rather get my own identity theft protection rather than get it from them,” said John von Ruden, President of the Northern Virginia chapter of the Information Systems Security Association.

Joe Klein, Chief Technology Officer of Leesburg security firm Disrupt6, researched the Equifax hack and added, “We looked at the website and it had exactly the same vulnerability that had hit on prior that they hadn’t patched.”

Klein said the Equifax hack appeared to be from a previously known vulnerability in the Apache brand server software.

“So we're talking about patching your software, having good passwords and making sure you're logging information specifically for companies so you can find the attackers within seconds, instead of months.”

Equifax has not responded to requests for comment.

This story has been updated, Thursday, Sept. 14, 2017

close video ad
Unmutetoggle ad audio on off