Results Are In: How Americans Faced the Equifax Hack where Personal Data of 45% of US Adults Were Stolen

Now, 10 months later, do they even know about it? Don’t laugh….

Consumer credit bureau Equifax disclosed very belatedly last September that it had been hacked, and that the crown jewels of personal data – including social security numbers – of 145.5 million Americans had been stolen. This is about 45% of the adult US population. Armed with this data, hackers could then embark on a binge of identity theft and loan fraud for years to come.

I covered this in a series of articles, emphasizing what consumers can do to protect themselves – put a “security freeze” on their accounts at the three major credit bureaus, Equifax, Transunion, and Experian. Numerous commenters shared their experiences and frustrations with the site that Equifax had set up to find out if they were affected and with the procedures and snafus encountered when they tried to put a “security freeze” on their accounts.

Congress held two hearings on the hack. Equifax got entangled in a flood of individual and class-action lawsuits. The CEO was axed. Some insider trading become public. Its shares plunged 34% over the first few days after the initial disclosure and remain down 11%. This was accompanied by uproar in the media.

So now, 10 months later, how did Americans deal with this fiasco? Do they even know about it? Don’t laugh….

A survey of American consumers by LendEDU, released today, found that 27% of the respondents were not even “aware” of the Equifax hack.

OK, moving on…

Of those 73% who were aware of the hack, only 57% checked the Equifax site to see if their personal data had been stolen too.

Drilling down deeper: Of those who actually checked the Equifax site to see if they were affected, 35% found that their data had been stolen.

Those who said their data had been stolen were asked if they had “sought to join any class-action lawsuit filed against Equifax as a result of the cyber-security incident,” 30% said “yes”; 53% said “not yet, but I would like to”; and the remainder said they would take no action or would “rather not say.”

All those who were “aware” of the hack were ask this question: “Following the Equifax cyber-security incident, the company offered free credit monitoring for a year and agreed to waive the requirement that anyone using the service must settle disputes through arbitration. Knowing this and any other moves made by Equifax to remedy the incident, has your perception of Equifax changed for the better?”

  • A stunning 37% said yes; divided into two categories: 31%, “Yes, they are trying their best to help consumers”; and 6%, “Yes, other.”
  • 35% said no: with 28%, “No, I have not yet forgiven them,” and 6%, “No, other”
  • 29% had “no opinion” or were “not sure.”

And they were asked how concerned they were in general about “data breaches of a company that you have used?”

  • 34% said, “Extremely concerned”
  • 47% said, “Concerned, but not pressing”
  • The remaining 19% were either “Indifferent,” “Not very concerned,” “Not concerned at all,” or “Not sure.”

LendEDU also checked the public data base of the Consumer Financial Protection Bureau (CFPB), a government agency that allows consumers to file grievances against firms in the financial services sector. LendEDU checked the number of complaints during two time-spans: the year right before the hack, which occurred on July 12, 2017; and the year after the hack.

Turns out, Equifax complaints more than doubled, from 18,007 complaints (between July 11, 2016 through July 11, 2017) to 36,045 complaints (between July 12, 2017 through July 12 2018). This shows how frustrating this experience was for those consumers who actually tried to deal with it and protect themselves.

You can still check the page Equifax has set up to find out if your personal information was “impacted.” This is now very quick (unlike in the early days).

Since the chaos of the early weeks after the hack, the three major bureaus have improved their sites where you put a “security freeze” on your account. On a personal note, after the business school where I’d obtained my MBA informed me over a decade ago that it had been hacked and that my data was stolen, I put a security freeze on all my accounts and have maintained it since. This was the most potent thing I could do to avoid becoming a victim of identity theft. I provide the links along with some important caveats to consider in this article about halfway down.

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.

  55 comments for “Results Are In: How Americans Faced the Equifax Hack where Personal Data of 45% of US Adults Were Stolen

  1. Lenard says:

    Kudos to you, Wolf. Your site was where I first learned of the EQUIFAX DEBACLE. I tried to create my online account at the Social Security Administration website back in March 2018, but for some reason it would not explain, it would not allow me to do so. I called the SSA and the rep asked me if I had put a “security freeze” on my credit report at Equifax, and I said “yes.” They said that the Social Security Administration uses Equifax to verify the identity of the online applicant. Kind of gives you a warm, fuzzy feeling inside. Not!!!

    • Wolf Richter says:

      Yes, that’s how I found out 10 years ago that it really worked. I tried to check on my SS contributions (to make sure they were actually made) and couldn’t set up the account.

  2. J Bank says:

    LOL. Equifax doesn’t care if your info was stolen. You’re not the customer. You’re the product.

    Did you ever sign up with Equifax? What if you don’t want Equifax to have your info… is there anything you can do to stop them from getting it? Exactly.

    We need to have a broader conversation about personal information rights in this country. This was supposed to be the issue that would bring it to a head, but no one seems to care.

    • Ed says:

      Yes. This.

      People haven’t even heard of each of the three credit reporting companies. Did not sign on. Now supposed to go to this company and ask it to plug the hole it created? And to trust it to do it?

      It is no wonder people didn’t act, I think.

      • Petunia says:

        Many people have such bad credit after the financial crisis, it just doesn’t matter to them. They can’t get credit anyway.

        • alex in san jose AKA digital Detroit says:

          The Crash taught a lot of us to not take part in the credit system any more. It was a good lesson, and well learned.

          Credit will only get you into trouble 99% of the time.

        • Anon1970 says:

          Very true.

        • cd says:

          I disagree. Used to look at 100 ABS loan packages daily across country…Credit score destruction was huge in 2008-11, then all the fico algos were changed to deal with the new meme, the great recession learning lesson for debtors. They reduced the penalty for foreclosures, charge offs etc. etc…and cry letters could lift your score more….this is a cake walk compared to the 90’s algos…where yield was a must and D paper was kept under 4% of volume..

          I know repo’d home owners from 7 years ago with 790 scores today…..

        • Frederick says:

          The VERY last thing that I want is credit If I can’t pay for it I’m NOT buying it By the way here in Turkey they quote interest rates by the month so as not to scare people off lol

        • blindfaith says:

          Petunia, That is not true, and you know that. Warm blood is all a company wants now, mattresses, cars, you name it. There are plenty of companies who buy crap loans, to this day.

          But the comments about “I don’t need a loan, etc, I just do cash” means you are missing Wolf’s point. Pleas read it again.
          The point is about security ID thefts .

          Thanks Wolf…I have a freeze on and I just checked and MY ID WAS STOLLEN last year and someone attempted to access my credit for a loan. Everyone please read that again.

          Folks, Wolf is tiring to enlighten you.

        • Petunia says:


          I will try to school you on the finer points of living in poverty.

          People who’s credit was damaged by the financial crisis can still buy cheapo furniture and second hand cars on credit because they don’t check the credit, they already know it’s bad. They take a risk on making more than they lose. So yes, someone can steal your id and buy from them. A credit freeze won’t protect you from these places.

          If your credit is bad, you are already protected because no legitimate company will extend you credit. At least not a lot of credit.

      • polecat says:

        “Claudius, a word of advice from your old friend Harrod .. “Trust no one, little Marmiset .. TRUST NO ONE !”

        THAT’S how I feel about virtually EVERY institution in this country, from my city council .. to my county & state to CONgress, with ALL of the many department/agencies within their blatantly awful purview, and, of course, the utterly parasitic grift that are Big Money Bizillionars, and the Big, monopolizing Corporations, both ‘in-house’ and the multi-nationals !
        I mean, where does one turn to get honest and just service, be it a credit agency, or the people who are suppost to represent the public.
        Anymore, the answer seems to be NO ONE !

        • sierra7 says:

          “Trust” has been crucified on a Cross of Gold!
          Trust has been destroyed in this country…….we are all, individually on our own. It’s truly, “Survival of the Fittest” (even with good med insurance plan)….”Kill (get them indebted) them all and let God sort them out”…..
          Truly disgusting situation.
          Time for the pitchforks!!

      • Wisdom Seeker says:

        We were asked to ACTUALLY PAY the “credit reporting” firms to fix the mess they made, by locking up our data … data which they shouldn’t have in the first place (without our permission)!

        This is why I refused to do a “security freeze”: it’s identical to an extortion/protection racket and I have no clue why it’s even legal. “Be a shame if your restaurant burned down… why don’t you pay us a few bucks to make sure nothing bad happens?” is no different from “We just lost all your data through our own carelessness, would you like to pay us to make sure thieves don’t try to rob you with it?”

    • Unamused says:

      ->This was supposed to be the issue that would bring it to a head, but no one seems to care.

      The average person is in no position to pursue the issue with legislation or regulation. A person so affected is too busy trying to undo the damage and lacks any political power.

      Those who are in such a position instead pursue deregulation, prevent reforming legislation, and attack the Consumer Financial Protection Bureau, because that’s what people elected them to do. If you want a different result you’re going to have to vote for somebody else and hope the election isn’t hacked again by America’s new friends.

      • NotBuying says:

        I did not pay anything to lock my accounts. Perhaps your particular state of residence is to blame for the charges.

  3. Jas says:

    I love that Experian now offers a product to “scan the dark web” to look for your information, for a fee!

  4. Old dog says:

    According to Vanity Fair, the Equifax breach could cost $70 billion. In a respectable country, Equifax executives would be serving a long sentence for gross negligence.

    I doubt they are worried. They know that they have nothing to fear from punitive measures because they have seen that the public is either ignorant or apathetic. They know that they will be safe until the identity of five justices is stolen and used to pay for a subscription to a porn site. Until then, life is good in Atlanta.

    • Mean Chicken says:

      In my state, the governors son committed suicide and guess what, all of a sudden there was interest and bills were passed bolstering mental healthcare.

  5. Rates says:

    Nothing new. I’ve been reading this great book (for the non ignorants) called Reporter by Seymour Hersh. Americans in general are an ignorant people. Have always been, will always be. But to be fair, it’s true for most people in this world. I mean why bother doing anything since we are all going to heaven anyways? Right, right?

    But other than that, I did follow Wolf’s instructions in freezing my Equifax profile, so kudos to Wolf.

    • Anon1970 says:

      From a very young age, I knew that no one was going to leave me a trust fund and that I was more concerned about the here and now rather than the hereafter.

    • MB732 says:

      Rates regarding freezing only Equifax I think you are misunderstanding Wolf’s instructions. Equifax was the SOURCE of your personal information leak, but freezing only Equifax does not protect you.

      If someone uses your personal information to get credit to buy furniture at 3 stores where store 1 uses Equifax and stores 2 and 3 use Experian and TU, then only store 1 will not be able to process your request for credit. Stores 2 and 3 will have no problem so you need to freeze all three.

      • Wisdom Seeker says:

        Actually there are more than 3 credit-reporting agencies? Do we have to pay EVERY SINGLE ONE of them to “protect” us against the theft of our data (which some of them have caused)?

        It’s a protection racket and should be illegal.

  6. Javert Chip says:

    The amazing thing is our stupid politicians haven’t really lifted a finger to stop this kind of thing.

    I’m not a big believer in “government solutions”, but the software industry has put so many at such risk for so long that maybe it’s time to consider required software warranties for product security (I’m talking about you, Microsoft) and ownership of personal data reverting to individuals with increased penalties for unauthorized taking of individual data as well as severe penalties for corporate security failures (ie lack of appropriate due care).

    The software industry has the money, but not the will.

    PS my Florida healthcare provider (HealthFirst) offers identity theft protection to all members; I had it a year before the Equifax hack.

    • Unamused says:

      ->The amazing thing is our stupid politicians haven’t really lifted a finger to stop this kind of thing.

      They might be stupid, but they’re bright enough to keep you voting for them. Although it’s just possible somebody in Smolensk, or the election machine manufacturers, decided your voting habits needed adjustment.

      I wouldn’t count on getting any help from the Consumer Financial Protection Bureau:

      “Mulvaney immediately stopped hiring at the CFPB, stopped collecting fines, suspended rulemaking, and ordered all active investigations reviewed. Mulvaney also sharply reduced agency personnel’s access to bank data, arguing that it posed a security risk. On January 18, 2018, Mulvaney submitted a quarterly budget request for the CFPB to the Federal Reserve for $0.”

    • Anon1970 says:

      The politicians aren’t the ones that are stupid. It is the voters that are. In many states, the politicians figured out that there were more votes to be had by appealing to voters’ religious prejudices than by worrying about consumer protection. Even Senator Schumer D-NY protects the financial services industry. He knows how important the industry is to his state and city and as a source of campaign contributions.

      The whole concept of credit freezes originated in a bill passed by the California Assembly around 2005 at the urging of Assemblywoman Jackie Spier (now a member of Congress). Gradually, some other states followed and a few years later, the industry caved in and offered credit freezes to residents of all 50 states.

      I have had credit freezes in place since 2005 and they work.

      If you have never seen a copy of your credit report, you can get one by calling 1-877-322-8228 and answering some questions. Under Federal law, you are entitled to one free report every 12 months from each credit reporting agency. Use your first review to clean up errors and obsolete information on your report.

  7. gary says:

    “Following the Equifax cyber-security incident, the company offered free credit monitoring for a year..”

    I see that as resembling a classic sales-pitch. What kind of help is that? They need to give free credit monitoring for life. Yes it would be painful for the company, but is the breach not serious for those affected?

    • Anon1970 says:

      They need to what? They don’t need to do anything not required by state or Federal law. Are you even monitoring your own credit reports?

    • robt says:

      I find the value of Equifax credit monitoring dubious at best. A couple of years before this information theft event, someone had fraudulently used my credit card info to make a bunch of purchases. The bank contacted me about suspicious activity (in a very stupid and suspicious manner, by what seemed to be a phishing email, but that’s another story), and all the charges were quickly reversed. I had not heard a word from Equifax ‘credit monitoring’ so phoned them. It took about a half hour for them to even find my account, and when they did there was no indication of anything amiss.
      I cancelled my account immediately. That was a chore too.
      It makes me wonder – if an account was cancelled two years before the ‘event’, would the data still be vulnerable?

  8. Mean Chicken says:

    The HACK ETF is much higher now so I’d say someone didn’t forget. A brief dive in October was arranged to throw as many as possible off track.

  9. safe as milk says:

    thank you, wolf. i followed your instructions last year and froze all my credit data. it only took about an hour. i haven’t had a reason to unfreeze it since then and only wish i had done it sooner. it dovetails nicely into my goal of diminishing my dependence on the financial sector.

  10. Tyler says:

    After reading your original articles on this, I put a security freeze on the three major credit bureaus. Since then I had to temporarily lift the Transunion freeze in order to set up a merchant account. The process was very simple (took all of about 30 seconds). I would strongly encourage everyone to do it. The only downside is that it cost $10 to temporarily lift it, but I think it is well worth it.

    Thanks for the articles on this.

  11. polecat says:

    I’ll throw my feeling on the matter with Ed above .. the onus is on the Reporting Agcency, as I, or Any other Citizen, NOT consumer mine you, but CITIZEN !!, did not ask for ANY of this crap, and now you see it everywhere, by virtually Every Entity on the Planet who wants to make a quatloo from the mopes ! Where does this end ?

  12. Setarcos says:

    What kind of entity has the skill and systems capability to steal 145 million records? That takes longer than a few seconds to grab, even after you are in.

    That just didn’t seem like a garden variety hack, like the ones that seemingly happen weekly. And if someone can break that system, seems pretty likely anyone with their own system could easily be hacked. So I’ve just assumed all the info’ is out there anyway.

    • Setarcos says:

      Did it ever come out who hit them?

      • 2GeekRnot2Geek says:

        There was a DB server in Argentina. User name was admin. Password was admin. (For those of you in IT, I’m not making a joke.) This was reported by multiple news outlets in 2017. As to who did the hack, with that kind of access, unlikely they will ever know. When you start with they keys to the kingdom, you can cover your tracks easily.

        • Setarcos says:

          Thought I recalled it being Apache Struts software they were using that hadn’t had a security patch.

          Regardless, expecting all the hacks to usher in a new system of identification. Never let a crisis go to waste was how Obama’s chief of staff put it.

  13. Lion says:

    I will says thanks Wolf, as I put credits freezes on all 3 the night Wolf wrote about the heist.

    I know this works as I was looking at the new green cars a month ago and the dealership asks for your driver license to confirm, I assumed, that I had no outstanding felonies or ? Well they also run a credit report and they quickly let me know they couldn’t finance me because of the blocks. Well that was a relief to know the blocks work.

    I asked the dealership which credit agencies they use. They said they need two, Trans Union and Equifax. Go figure. I told the nice sales guy that hell would freeze, thaw, and freeze again before I ever unblock Equifax

    I still got to test drive the car.

    • Lance Manly says:

      Your existing creditors should still be able to pull a report, I would do it through the credit union anyways as the rates are still really low..

    • MB732 says:

      Lion if everyone had your attitude that would get their attention…But not much chance of that happening, unfortunately. Great comment!

      • Lion says:

        Of interest (at least to me) the car dealership mentioned that because of all the blocks (humm) the credit agencies/dealerships came up with an option that allows you to unfreeze your account for an hour or so. After the hour the freeze would be back on, automatically. This would allow the dealership to run whatever reports they need.

        I just have this vision of someone at a call center waiting for me to press the off button.

        I kinda like mine off. Like many on this board, if I can afford it, I’ll pay in cash.

  14. Emanon says:

    The division of the US government that grants security clearances had a huge hack that exposed many details, including over five million sets of fingerprints, for just about everyone who had applied for a clearance during the past 25 years. Over 20 million people were affected.

    I have not had an active clearance since 1999 and I still received a letter from the OPM warning me that I’d been hacked.

    I am, to put it mildly, not willing to trust biometric security systems for things such as credit cards, because the Chinese probably already have a copy of my fingerprints.

    Thanks, Uncle Sam. Putting Obama’s “national political director” in charge of a vital national security asset worked out REAL well. Thank God that we didn’t entrust this data to somebody who was a mere computer expert, rather than an exalted political director.

    • Frederick says:

      If Zuckerberg has your fingerprints than I’m sure he’s sold them to anyone willing to pay for them

      • Derek says:

        No doubt about that. On a related note to credit freezes, anybody who thinks they’re doing something by “deleting” their FB account doesn’t understand how computers work. I am certain FB holds on to your data, new EU privacy rules or not.

  15. WSKJ says:

    Add my thx to those above, Wolf.

    I just visited the Equifax site via the link you posted @ top, Wolf. I had to enter my last name, last 6 of Social Security number, and prove that I am not a robot (that one can be tough; and aren’t we working on AI capabilities that will breeze through the robot tests ? My name is Cybil; I am not a robot. My vision is better than 20/20.) ……

    I received a brief message that my info has not been hacked. (Yay)

    In the FAQs, the last Q. was “If my Equifax credit report is locked, who can access it ?”

    A. a list inc. of course pretty well any level of government agencies, collection agencies, etc., and:

    “…companies that wish to make pre-approved offers of credit or insurance to you.”

    Wow, that seems like the barn door is still open wide, even after the credit report lock is in place. An opt-out number is given:
    888- 567- 8688

    I recall many years back, and re-surfacing from time to time, media discussion and financial companies propaganda, and of course political promises, re this sort of data-sharing (of personal financial data), like, this really shouldn’t be allowed.

    I find it just a little surprising that a credit lock leaves this sort of backdoor wide open. But no, I have resolved not to let any financial/political nonsense surprise me. A tough resolve to try to keep.

    I don’t mind getting in the mail, the occasional offer of an exciting new credit card, but they don’t need a full credit report to send these out.

    Reading the “privacy” guarantees on one’s financial statements is depressing- BigFinance has held on tight to their right to share our data – but it seems like Equifax’s mopping -up operation should include automatic inclusion of opt-out as standard part of credit freeze.

    • WSKJ says:

      If I have confused credit lock with credit freeze, and there are important distinctions, I trust someone will spell these out. Thx

    • Wolf Richter says:

      “lock” or “credit freeze”? HUGE difference. Equifax is trying to fool you :-]

      Just above the question — “If my Equifax credit report is locked, who can access it?” — there is this question: “What is the difference between a credit report lock and a security freeze?”

      With a “lock,” you’re getting precisely what Equifax WANTS you to get. It does NOT want you to get a “credit freeze.” A credit freeze is state regulated, and there are no fudge factors built in.

      • Wisdom Seeker says:

        This sort of behavior is yet another reason why these so-called “agencies” should be shut down.

        No one should be allowed to share your data without your permission.

        No one should be allowed to aggregate your data without your knowledge and then charge you for the “privilege” of keeping it private. (Especially after some of them carelessly turn your private data loose into the wild.)

        The terminology used by predatory companies to fool people whose privacy is being violated should be regulated to avoid deliberate obfuscation and confusion. Regulation via jail sentences for execs, not fines for clueless shareholders.

  16. Anon2017 says:

    We have a national credit market in the US. For those who don’t abuse their credit and take advantage of all the benefits such a market has to offer, this can be a good thing. Imagine getting cash back for using your credit card abroad, not having to pay costly transaction fees to buy foreign travelers check and not having to pay an annual fee for your credit card to begin with. Things weren’t always so simple or inexpensive. Yes, the system is not perfect. But would you really like to go back to the days before credit cards?

    Without the data bases maintained by the major credit reporting agencies (even with their many faults), credit as we know it would not exist. You would be at the mercy of your local bank where you had your checking or savings account.

    If you really want to have your data removed from the credit reporting agencies’ files, close your financial accounts and wait ten years. But without a credit history, good luck getting a credit card at a later date or entering into any sort of formal financial transaction.

    • Wisdom Seeker says:

      Anon2017 you are a shill for the industry, putting up straw man arguments that have nothing to do with the point at hand.

      1) “Imagine getting cash back for using your credit card abroad” you pay for that cash via higher prices, charged by the merchants to pay the ‘credit system’ surcharge to the banks. I prefer to imagine getting everything for 5% less.

      2) “not having to pay costly transaction fees to buy foreign travelers check”
      this has nothing to do with anything

      3) “not having to pay an annual fee for your credit card to begin with.”
      this also has nothing to do with anything.

      4) “But would you really like to go back to the days before credit cards?”
      Another non-sequitur. Fixing the credit rating agencies has nothing to do with whether banks will issue credit cards.

      5) “Without the data bases maintained by the major credit reporting agencies (even with their many faults), credit as we know it would not exist.” – Nonsense. Banks would still issue credit because THAT’s WHAT THEY DO. The only reason why Equifax, Experian are independent is probably to deflect liability from the banks. With only a handful of major banks, and only 2-3 major payment systems, there’s no business need for independent rating agencies. The banks have all the same data. All the current system does is create risk of data theft, at customers expense, while avoiding bank liability.

  17. Hogwash says:

    Wow, can you say “false negative”?
    A last name with a space in it (and as such in the SS database) will give a FALSE NEGATIVE on the link provided.
    Dumb ***es!
    When I remove the space, it says “affected”.
    I’d sue. Sign me up.

  18. Dave Mac says:

    Apathy rules! OK?

Comments are closed.