Millions of people likely just received an email or snail mail notice saying they’re eligible to claim a class action payment in connection with the 2017 megabreach at consumer credit bureau Equifax. Given the high volume of reader inquiries about this, it seemed worth pointing out that while this particular offer is legit (if paltry), scammers are likely to soon capitalize on public attention to the settlement money.
One reader’s copy of their Equifax Breach Settlement letter. They received a check for $6.97.
In 2017, Equifax disclosed a massive, extended data breach that led to the theft of Social Security Numbers, dates of birth, addresses and other personal information on nearly 150 million people. Following a public breach response perhaps best described as a giant dumpster fire, the big-three consumer credit reporting bureau was quickly hit with nearly two dozen class-action lawsuits.
In exchange for resolving all outstanding class action claims against it, Equifax in 2019 agreed to a settlement that includes up to $425 million to help people affected by the breach.
Affected consumers were eligible to apply for at least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and TransUnion. Or, if you didn’t want to take advantage of the credit monitoring offers, you could opt for a cash payment of up to $125.
The settlement also offered reimbursement for the time you may have spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This was capped at 20 total hours at $25 per hour ($500), with total cash reimbursement payments not to exceed $20,000 per consumer.
Those who did file a claim probably started receiving emails or other communications earlier this year from the Equifax Breach Settlement Fund, which has been messaging class participants about methods of collecting their payments.
How much each recipient receives appears to vary quite a bit, but probably most people will have earned a payment on the smaller end of that $125 scale — like less than $10. Those who received higher amounts likely spent more time documenting actual losses and/or explaining how the breach affected them personally.
So far this week, KrebsOnSecurity has received at least 20 messages from readers seeking more information about these notices. Some readers shared copies of letters they got in the mail along with a paper check from the Equifax Breach Settlement Fund (see screenshot above).
Others said they got emails from the Equifax Breach Settlement domain that looked like an animated greeting card offering instructions on how to redeem a virtual prepaid card.
If you received one of these settlement emails and are wary about clicking the included links (good for you, by the way), copy the redemption code and paste it into the search box at myprepaidcenter.com/redeem. Successfully completing the card application requires accepting a prepaid MasterCard agreement (PDF).
The website for the settlement — equifaxbreachsettlement.com — also includes a lookup tool that lets visitors check whether they were affected by the breach; it requires your last name and the last six digits of your Social Security Number.
But be aware that phishers and other scammers are likely to take advantage of increased public awareness of the payouts to snooker people. Tim Helming, security evangelist at DomainTools.com, today flagged several new domains that mimic the name of the real Equifax Breach Settlement website and do not appear to be defensively registered by Equifax, including equifaxbreechsettlement[.]com, equifaxbreachsettlementbreach[.]com, and equifaxsettlements[.]co.
In February 2020, the U.S. Justice Department indicted four Chinese officers of the People’s Liberation Army (PLA) for perpetrating the 2017 Equifax hack. DOJ officials said the four men were responsible for carrying out the largest theft of sensitive personal information by state-sponsored hackers ever recorded.
Equifax surpassed Wall Street’s expectations in its most recent quarterly earnings: The company reported revenues of $1.24 billion for the quarter ending September 2022.
Of course, most of those earnings come from Equifax’s continued legal ability to buy and sell eye-popping amounts of financial and personal data on U.S. consumers. As one of the three major credit bureaus, Equifax collects and packages information about your credit, salary, and employment history. It tracks how many credit cards you have, how much money you owe, and how you pay your bills. Each company creates a credit report about you, and then sells this report to businesses who are deciding whether to give you credit.
Americans currently have no legal right to opt out of this data collection and trade. But you can and also should freeze your credit, which by the way can make your credit profile less profitable for companies like Equifax — because they make money every time some potential creditor wants a peek inside your financial life. Also, it’s probably a good idea to freeze the credit of your children and/or dependents as well. It’s free on both counts.
This entry was posted on Tuesday 20th of December 2022 03:08 PM
I think the lawyers that sued Equifax need to be sued for keeping all the money and not providing it to the people that actually lost from the security breach. My SSN was supposedly not among those affected, so I didn’t worry much, but a few months later 2,000,000 more numbers were added to the list. I found this out when eight credit cards were opened in my name and mailed elsewhere. The thieves address showed up on my credit report as mine! Since I don’t live in the US, I had to fly back to fix the whole mess and be able to do a police report. My compensation for all of this: $35.23. But I see I got more money than others, so why am I complaining?
Wow, so I stumbled upon this here feed yesterday when inquiring about the payment we were waiting for from Equihax. I was hoping wishing and praying for the most ($20,000.) figured it wouldn’t happen, hoped for the $500 range from the 20 plus hours I spent but could only claim 20 @ $25/hr. Would have been satisfied even with the $125, but ended up with a mere $40.44 . I have learned to defeat negative feelings I should be grateful and thankful for what I still do have. Thank you Jesus for everything you do for me.
I got $3.98 . What a joke. Lawyers are popping champagne on new boats and we don’t get enough to even pay for your time to read Mastercards 20 pages of BS agreement to use a $3.98 card.
Lmao. $5.81. Are you kidding me? After all that time. I swear I remember in the beginning it said take a year of credit monitoring for free or opt for $180 when it settles but, nope. I get a whopping $5.81. What am I supposed to do with that? Smh unreal!
Lawyers got $77.5 million to handle the case. Chew on that. Think of the accumulative hours wasted dealing with the fallout from the data breach, then the accumulative hours wasted calculating your prior wasted time because the attorneys advertised that you would be fairly compensated. Wish there was a way to sue the lawyers for wasting my time.
5.21 also. Looks sketchy
Well, stick a needle in my eye and call me crazy. I took home a cool $ 5.21, which is not even enough to buy a blue checkmark for a month.
I’m not clicking on anything. It’s not worth the $5.21 to risk more problems. I can find more than that just walking down the sidewalk on any given day!!
I’m scared to death to click on mine for $5.21 is it really worth it… The email to me came from EquifaxDataBreachSettlement@hawkmarketplace.com and then at the bottom is says this?? what?
who?
You received this email from the Equifax Data Breach Settlement, c/o JND Legal Administration, PO Box 91318, Seattle, WA 98111-9418
If you do not wish to receive further emails from the Equifax Data Breach Settlement, contact us at privacy@jndla.com
How would you know it’s real?? hawkmarketplace.com?? hum???
S P A M
I have not received any emails or postal mail. How can I confirm whether my details were stolen? I really could use that $4.72!
It’s even worse, in the terms of accepting the pre-paid card, you agree to this:
Inactivity Fee. $5.95
You will be charged $5.95 each month after you have not completed a transaction using your card for 6 months
There are a few ways to read that clause due to the lack of punctuation:
1. You have to use the card within six months, or you will be charged $5.95 per month.
– or –
2. Once you use the card, you have six months to use the card again, or you will be charged $5.95 per month.
– or –
3. You will be charged $5.95 for six months once you stop using the card.
In either event, it’s not clear if they mean you will be on the hook for the $5.95 until your card is at zero balance, or if you are charged forever even if you have a zero balance.
After reading the nine page agreement, I don’t think it says either way. Maybe they need to update the TOS to be more clear.
email from hawkmarketplace.com
us a scam??
Just thank you! Mine was only $12, but now I felt safe redeeming it. I now have $12 more than this morning
Finally you can afford that coveted Subway sandwich meal with drink and chips.
Things are definitely looking up.
The email is real and activation simple. To redeem, go to Amazon and reload gift card balance for the exact amount. The entire process takes just moments.
$1.76. And what’s weird is I had revised the claim to get the get the credit monitoring. I thought that meant you were not eligible for the cash payout.
I got a check for $19.30
Enough for gasoline to travel 80-120 miles or so! Look out 2023 commute, winners coming through.
Zut alors…
Amazing to see the US stoofs angrily quibbling over the pennies Equifax has thrown at your feet.
Particularly compared to the tens of thousands of US$ Equifax earns per day, if not per hour, selling the CHI off your Credit Report to the highest bidder at that moment.
Same with Trans Union, Experian.
All because of a 1992 decision by the FTC.
And none of you seem to have a clue or care what to do to protect yourself from the next major CRA breach…
We wish you much good luck…
Blanche DeBois….the real merde in this whole thing is that NO ONE ever signed up with any the credit bureaus. They just siphon our info and create a data base for others to use against us. They are making money off our information without us having a choice. So all the major businesses on the internet thought to themselves: THAT is a fantastic business model,. we will do it too!
Maybe I did better than most, but my check was for $361.94. I did document pretty extensively what all I did and all, so I am guessing that helped.
I got a paypal credit for $5 and change. These people can KISS MY ASS.
I had a surprise notice from PayPal that I had received $7.05 from Equifax while I was away on my cruise. A pittance, to be sure, but a surprise credit is always better than a surprise debit!
Guess I should feel lucky. Scored $12.26! That will teach them to lose years of my credit history.
‘Backendrecover AT rescueteam DOT com’ is the best in recovering any form of lost Bitcoin. ” It was a very pleasant surprise that they” (a) were able to track and recover my stolen bitcoin, and (b) were honest enough to return the coins. I would like to take the time to not only commend the honesty shown here but also recommend him to other people in the future.
So I had similar reaction probably as most readers of this blog. “Enter the last six digits of my SSN (particularly where the last 4 are the only part that seem to have any randomness to them)? Oh HE** NO!!” So yeah, I went to this site and the settlement administrator’s site, buried in the FAQs (though at very end, so does scroll to end, #36 – https://www.equifaxbreachsettlement.com/faq (and yes, I it did make me recall the John Oliver segment re: that site in the early days of this mess…) is the part confirming email to be sent from EquifaxDataBreachSettlement@hawkmarketplace.com.
But yeah, I don’t click links and this just felt rather dodgy AF (yup, we all got paltry fraction of any reasonable settlement, I wasn’t about to add insult to injury and get further violated over roughly $44). But wanted to share the data point of possible validation.
Trying to keep perspective, definitely first world problems and relatively minor at that. But. So. Many. Unforced. Errors.
This is so not how I wanted to spend ANY part of my NYE. But hope this gives maybe someone else a bit of peace of mind.
Here’s to some improvements implemented in 2023. Cheers! (and a sincere thank you that this blog and community exists so we don’t have to mentally shout/curse at our screens alone. Happy 13th and here’s to many more anniversaries ahead!)
Since we tend to be a bit more cyber-wise here, visualize an animated gif of Homey da Clown thwaking this mess upside the head…
So I had similar reaction probably as most readers of this blog. “Enter the last six digits of my SSN (particularly where the last 4 are the only part that seem to have any randomness to them)? Oh HE** NO!!” So yeah, I went to this site and the settlement administrator’s site, buried in the FAQs (though at very end, so does scroll to end, #36 – https://www.equifaxbreachsettlement.com/faq (and yes, I it did make me recall the John Oliver segment re: that site in the early days of this mess…) is the part confirming email to be sent from EquifaxDataBreachSettlement@hawkmarketplace.com.
But yeah, I don’t click links and this just felt rather dodgy AF (yup, we all got paltry fraction of any reasonable settlement, I wasn’t about to add insult to injury and get further violated over roughly $44). But wanted to share the data point of possible validation.
Trying to keep perspective, definitely first world problems and relatively minor at that. But. So. Many. Unforced. Errors.
This is so not how I wanted to spend ANY part of my NYE. But hope this gives maybe someone else a bit of peace of mind.
Here’s to some improvements will be implemented in 2023. And a sincere thank you that this blog and community exists so we don’t have to mentally shout/curse at our screens alone. Happy 13th and here’s to many more anniversaries ahead! Cheers!
Since we tend to be a bit more cyber-wise here, visualize an animated gif of Homey da Clown thwaking this mess upside the head…
Today’s mail brought a check in the amount of $14.02. The various amounts reported are interesting and it leads me to wonder how they are determined.
Your email address will not be published.
Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.
