“This is very unusual — most security systems are hard-wired only to reveal the last four digits of an SSN for identification purposes,” said Satya Gupta, co-founder & chief technology officer at Virsec Systems, a cybersecurity firm. “This strongly implies that the typical four digits may have been compromised, and they need additional, previously ‘secret’ information to positively identify customers. This reinforces the conundrum of these breaches — with more information exposed, how do you now prove a person’s identity?”
Equifax did not immediately respond to queries about why its website asks for such information.
On Twitter, many expressed their exasperation with Equifax's approach. Others took a sarcastic route.
“Right now, the wound is raw,” said Jeff Kagan, a Georgia-based telecommunications industry analyst. “For Equifax to pour more salt on that wound today by asking to put your information on another website that they promise will be secure doesn’t make sense. Why Equifax doesn’t understand this before it put up this website raises another question — it’s a big, embarrassing mistake.”
Several people who took the leap and submitted their information to Equifax said on Twitter and elsewhere that after signing up, Equifax did not disclose whether their personal data was impacted by the massive breach. Instead they received an enrollment date for the credit monitoring program.
According to the website that Equifax created to help consumers, www.equifaxsecurity2017.com, people will first have to enter their information, and then days later, would be able to enroll in an identity theft protection and credit file monitoring product called TrustedID Premier. “The enrollment process is scheduled over several days to minimize delays and to service all consumers efficiently,” the website says.
Equifax also said that the credit card numbers of about 209,000 U.S. consumers, and credit dispute documents of roughly 182,000 U.S. consumers, were also accessed by hackers. The company will be mailing out notices to those individuals, but it will not be contacting everyone who was affected in the data breach.