7 ON YOUR SIDE: Problems with signing up for Equifax hack protection
ALEXANDRIA, Va. (ABC7) —
Monday marks the first day people can sign up for free credit monitoring in the wake of last week’s Equifax data breach. A reported 143 million Americans had personal data stolen, from social security numbers, to birthdates, and driver’s license numbers.
Until this weekend, signing up for Equifax’s free credit monitoring service were compelled to agree to an arbitration clause, taking away their potential rights to sue Equifax.
Virginia Attorney General Mark Herring and other attorneys general opposed arbitration clauses for financial services.
“What we need to be doing is protecting consumers, not looking the other way and allowing finance companies to force consumers either unknowingly or unfairly signing away any legal rights they have,” said Herring.
Viewers alerted 7 On Your Side to a potential vulnerability to the website Equifax used to sign people up for free credit monitoring. 7 On Your Side tested this.
EquifaxSecurity2017.com asks people to type in their last name and the last six digits of their social security number. But typing in anything – including “test” and “123456” as the last six digits still results in a message from Equifax claiming, “Based on the information provided, we believe that your personal information may have been impacted by this incident.”
“Do I really trust an organization to protect my identity which has just lost my identity? I'd rather get my own identity theft protection rather than get it from them,” said John von Ruden, President of the Northern Virginia chapter of the Information Systems Security Association.
Joe Klein, Chief Technology Officer of Leesburg security firm Disrupt6, researched the Equifax hack and added, “We looked at the website and it had exactly the same vulnerability that had hit on prior that they hadn’t patched.”
Klein said the Equifax hack appeared to be from a previously known vulnerability in the Apache brand server software.
“So we're talking about patching your software, having good passwords and making sure you're logging information specifically for companies so you can find the attackers within seconds, instead of months.”
Equifax has not responded to requests for comment.
This story has been updated, Thursday, Sept. 14, 2017