Equifax said Thursday that it will offer free credit monitoring services to all U.S. consumers for one year, after announcing that roughly 143 million Americans' personal data could have been compromised when hackers gained access to its data earlier in the year.
But before people can sign up and find out whether their personal information was compromised, consumers are prompted to enter their last name and the last six digits of their Social Security number.
“This is very unusual — most security systems are hard-wired only to reveal the last four digits of an SSN for identification purposes,” said Satya Gupta, co-founder & chief technology officer at Virsec Systems, a cybersecurity firm. “This strongly implies that the typical four digits may have been compromised, and they need additional, previously ‘secret’ information to positively identify customers. This reinforces the conundrum of these breaches — with more information exposed, how do you now prove a person’s identity?”
Equifax did not immediately respond to queries about why its website asks for such information.
On Twitter, many expressed their exasperation with Equifax's approach. Others took a sarcastic route.
I can't believe that @Equifax has the audacity to ask for 2/3rds of your SSN and your last name to verify if you're part of the data breach
— Anita Knapp (@GayRobot_) September 7, 2017
If you're worried about your personal data being breached due to Equifax hacking, then send me your name & social security # so I can check
— Sam Z Comedy (@SamZComedy) September 7, 2017
#equifax soooo to find out if my info was compromised, I have to provide more of my info. Why not just contact us yourself? pic.twitter.com/LzUoCkPHln
— Patrick Hyatt (@PatrickHyatt) September 7, 2017
“Right now, the wound is raw,” said Jeff Kagan, a Georgia-based telecommunications industry analyst. “For Equifax to pour more salt on that wound today by asking to put your information on another website that they promise will be secure doesn’t make sense. Why Equifax doesn’t understand this before it put up this website raises another question — it’s a big, embarrassing mistake.”
Several people who took the leap and submitted their information to Equifax said on Twitter and elsewhere that after signing up, Equifax did not disclose whether their personal data was impacted by the massive breach. Instead they received an enrollment date for the credit monitoring program.
According to the website that Equifax created to help consumers, www.equifaxsecurity2017.com, people will first have to enter their information, and then days later, would be able to enroll in an identity theft protection and credit file monitoring product called TrustedID Premier. “The enrollment process is scheduled over several days to minimize delays and to service all consumers efficiently,” the website says.
Equifax also said that the credit card numbers of about 209,000 U.S. consumers, and credit dispute documents of roughly 182,000 U.S. consumers, were also accessed by hackers. The company will be mailing out notices to those individuals, but it will not be contacting everyone who was affected in the data breach.
Read more:
Why it can take so long for companies like Equifax to reveal their data breaches
See how data breaches grew to massive proportions in 11 years
From January: Equifax and TransUnion fined $23 million for misrepresenting credit products
