In February 2020, the United States government indicted members of China's People's Liberation Army for hacking into Equifax and plundering sensitive data as part of a massive heist that also included stealing trade secrets, though the Chinese Communist Party denied these claims.
[13] Security experts found an unknown hacking group trying to find websites that had failed to update Struts as early as March 10, 2017.
[27][28][29][30] On September 10, 2017, three days after Equifax revealed the breach, Congressman Barry Loudermilk (R-GA), who had been given two thousand dollars in campaign funding from Equifax,[31][32] introduced a bill to the U.S. House of Representatives that would reduce consumer protections in relation to the nation's credit bureaus, including capping potential damages in a class action suit to $500,000 regardless of class size or amount of loss.
[33][34] Following criticism by consumer advocates, Loudermilk agreed to delay consideration of the bill "pending a full and complete investigation into the Equifax breach".
In announcing the change, the board's chairman noted McGregor's "extensive data security, cybersecurity, information technology and risk management experience".
[42][43] Equifax narrowed its estimate for UK consumers affected by the breach to 15.2 million in October 2017,[44][45] of which 693,665 had sensitive personal data disclosed.
"[57] On July 22, 2019, Equifax agreed to a settlement with the Federal Trade Commission (FTC), CFPB, 48 U.S. states, Washington, D.C., and Puerto Rico to alleviate damages to affected individuals and make organizational changes to avoid similar breaches in the future.
[58] In July 2019, the FTC published information on how affected individuals could file a claim against the victim compensation fund using the website EquifaxBreachSettlement.com.
Equifax did not immediately disclose whether PINs and other sensitive information were compromised, nor did it explain the delay between its discovery of the breach in July and its public announcement in early September.
[64] Equifax stated that the delay was due to the time needed to determine the scope of the intrusion and the large amount of personal data involved.
[66] The company said the executives, including the chief financial officer John Gamble,[67][26] "had no knowledge that an intrusion had occurred at the time they sold their shares".
When publicly revealing the intrusion to its systems, Equifax offered a website (https://www.equifaxsecurity2017.com[70]) for consumers to learn whether they were victims of the breach.
[71] Moreover, members of the public wanting to use the Equifax website to learn if their data had been compromised had to provide a last name and six digits of their social security number.
[73] The Trusted ID Premier website contained terms of use, dated September 6, 2017 (the day before Equifax announced the security breach) which included an arbitration clause with a class action waiver.
[75] According to Polly Mosendz and Shahien Nasiripour, "some fear[ed] that simply using an Equifax website to check whether their information was compromised bound them to arbitration".
[76] The equifax.com website has separate terms of use with an arbitration clause and class action waiver, but, according to Brian Fung of The Washington Post, "it's unclear if that applies to the credit monitoring program".
[78] Joel Winston, a data protection lawyer, argued that the announcement disclaiming the arbitration clause "means nothing" because the terms of use state that they are the "entire agreement" between the parties.
[79][80] Responding to continuing public outrage,[81] Equifax announced on September 12, 2017, that they "are waiving all Security Freeze fees for the next 30 days".