What happened?

We identified a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. We discovered the unauthorized access and acted immediately to stop the intrusion. We promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. We also reported the criminal access to law enforcement and continue to work with authorities.

When did the company learn of this incident?

We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review.

Over what period of time did the unauthorized access occur?

Based on our investigation, the unauthorized access occurred from mid-May through July 2017.

Who and how many people are affected?

This incident potentially impacts approximately 143 million U.S. consumers. We have established a dedicated website, www.equifaxsecurity2017.com, to help U.S. consumers determine if their information has been potentially impacted. As part of our investigation of this application vulnerability, we also identified unauthorized access to limited personal information for certain UK and Canadian residents. We will work with UK and Canadian regulators to determine appropriate next steps.

What information may have been impacted?

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Criminals also accessed credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers. As part of our investigation of this application vulnerability, we also identified unauthorized access to limited personal information for certain UK and Canadian residents. We have found no evidence that personal information of consumers in any other country has been impacted.

Are Equifax’s core consumer or commercial credit reporting databases impacted?

We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Is the issue contained?

Yes, this issue has been contained.

What was the vulnerability?

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

What are you doing to prevent this from happening again?

We have engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.

What steps should I immediately take?

To determine if your personal information may have been impacted and for steps to protect your information, please visit www.equifaxsecurity2017.com. We recommend that consumers be vigilant in reviewing their account statements and credit reports, and that they immediately report any unauthorized activity to their financial institutions. We also recommend that they monitor their personal information and visit the Federal Trade Commission’s website, www.ftc.gov/idtheft, to obtain information about steps they can take to better protect against identity theft as well as information about fraud alerts and security freezes.

Why am I learning about this incident through the media? Why didn’t Equifax notify me directly?

Equifax issued a national press release in order to notify U.S. consumers of this incident and has established a website, www.equifaxsecurity2017.com, where U.S. consumers can receive further information.

Why was there a delay between when the incident was discovered and the public was notified?

As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.

Complimentary TrustedID Premier Product

How does the online enrollment process for TrustedID Premier work?

The details of the online enrollment process are outlined on www.equifaxsecurity2017.com

How long am I able to use this complimentary product?

Equifax is offering TrustedID Premier, which includes credit file monitoring and identity theft protection product, complimentary for one year.

How long is the enrollment period for TrustedID Premier?

Consumers have until Tuesday, November 21, 2017, to take advantage of the complimentary, one-year subscription to TrustedID Premier.

Does the product start on the notification date or on the enrollment date?

The product starts on the date that you activate your subscription.

What are the features offered in TrustedID Premier?

TrustedID Premier provides you with copies of your Equifax credit report; the ability to lock your Equifax credit report; 3-Bureau credit monitoring of your Equifax, Experian and TransUnion credit reports; Internet scanning for your Social Security number; and identity theft insurance.

After I activate TrustedID Premier, how do I lock and unlock my Equifax credit file?

Once you activate your product, you will be able to conveniently submit a request in TrustedID Premier to lock or unlock your Equifax credit file. Requests to lock and unlock your Equifax credit file will be fulfilled by Equifax within 24 to 48 hours, so please take that into account when you are considering applying for new credit.

In this situation, am I better off placing a fraud alert, requesting a security freeze, or using the file lock feature in the TrustedID Premier product?

A consumer does not need to choose a single option. We recommend choosing the ones that best suit your credit activity. The various options are more fully described below.

  • Fraud Alert: A fraud alert is a notification you may request that a nationwide consumer reporting agency place on your credit report that warns creditors that you may be a victim of identity theft. Think of a fraud alert as a “red flag” for those third parties that may consider extending you credit. Fraud alerts are free, and will still allow third parties access to your credit reports – however, if there is a fraud alert on your credit report, third parties will be encouraged to take certain steps to verify your identity before extending you credit. Once you place a fraud alert with one nationwide consumer reporting agency, it will be automatically placed with the other two nationwide consumer reporting agencies.
  • Security Freeze: A security freeze prevents new creditors from accessing your credit report unless you lift or remove the freeze, either temporarily or permanently. The nationwide consumer reporting agencies may charge consumers for placing or removing freezes depending on state law. You will need to contact each nationwide consumer reporting agency to place or remove a security freeze.
  • File Lock: An Equifax credit file lock is similar to a security freeze and allows you to lock access to your Equifax credit report. Lenders cannot access your Equifax credit file to open new accounts unless you unlock your file. However, when you lock your Equifax credit file, it does not lock your credit file at the other two nationwide consumer reporting agencies. The lock feature is available within the complimentary TrustedID Premier product Equifax is making available to U.S. consumers.

Please note that you can have either a security freeze or Equifax credit file lock on your Equifax credit report, but not both.

It’s been 72 hours since I completed the online enrollment process, but I haven’t received an email. What should I do?

If you have returned to the website on your designated enrollment date and completed the enrollment process, but have not received an email with a link to activate your product, please be sure to check your spam or junk folders.

I’ve gone through the enrollment process and received an activation link. Does the link expire?

The activation link will remain active throughout the enrollment period, which ends on Tuesday, November 21, 2017.

Are military personnel eligible for TrustedID Premier?

Yes, as long as they have a credit file and enroll in the product.

If I’m on active duty abroad or physically unable to enroll during the 60-day enrollment period, can a member of my family sign me up?

If you are physically unable to complete the online scheduling and enrollment process during the 60-day enrollment period, a Power of Attorney or POA is required. You may submit this information to us via email, fax, or U.S. mail using the following information:

Email: [email protected]

Fax number: 1-866-313-7122

Mailing address:

Equifax Personal Solutions
Attention: Atlanta Support
PO Box 105496
Atlanta, GA 30348

If you choose not to enroll in complimentary credit file monitoring and identity theft protection, but instead wish to place a security freeze or fraud alert on your credit file, the POA must be sent to:

Equifax, Inc.
PO Box 740256
Atlanta, GA 30374-0256

Please enclose:

  • Your first and last name;
  • Your contact information (such as telephone number and/or email address, if applicable)
  • A brief summary for the request
  • The first and last name, and Social Security number for the individual that you represent
  • A copy of the notarized Power of Attorney document or the letters of conservatorship/or letters of guardianship
  • A copy of the Driver’s License of the authorized POA/conservator/or guardian or valid State Identification that has their name as shown on the notarized documents.

Can I sign up my minor child?

Equifax does not typically have information associated with minors.

Do the TrustedID and Equifax Terms of Use limit my options related to the cyber security incident?

To confirm, enrolling in the free credit file monitoring and identity theft protection products that we are offering as part of this cybersecurity incident does not prohibit consumers from taking legal action. We have already removed that language from the Terms of Use on the site www.equifaxsecurity2017.com. The Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers as a result of the cybersecurity incident. Again, to be as clear as possible, we will not apply any arbitration clause or class action waiver against consumers for claims related to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself.

If I enrolled in TrustedID Premier prior to the Terms of Use change, what Terms of Use apply?

The prior Terms of Use will not apply to any consumers who have enrolled in TrustedID Premier, regardless of when they enrolled. In other words, even if a consumer enrolled prior to the change to the Terms of Use, the revised Terms of Use will apply to that consumer.

When were the Terms of Use for TrustedID Premier updated?

We are listening to issues that consumers are experiencing, and their suggestions are helping to further inform our actions. In response to consumer feedback about the arbitration clause and class action waiver, we have taken several actions:

  • We removed that language from the TrustedID Premier Terms of Use on September 8, 2017
  • We began pointing consumers on www.equifaxsecurity2017.com to the revised TrustedID Premier Terms of Use on September 9, 2017
  • We issued statements on September 8 and 10, 2017 further clarifying that the arbitration clause and class action waiver in the Equifax product Terms of Use on www.equifax.com do not apply to the TrustedID Premier product being offered to consumers or to the cybersecurity incident.
  • We updated the Equifax product Terms of Use on www.equifax.com on September 12, 2017 to state that those terms do not apply to the TrustedID Premier product or the cybersecurity incident

I have an Equifax subscription product that contains credit monitoring and identity theft protection. Will I need to pay for this moving forward?

You may elect to cancel your existing subscription and enroll in our TrustedID Premier product, which is complimentary for one year.

After the one-year complimentary subscription expires, will the product renew?

The product will expire after one year. We are not requesting consumers’ credit card information when they sign up for the free credit file monitoring and identity theft protection we are offering to all U.S. consumers. Consumers who sign up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of TrustedID Premier.

What if I don’t want to use an Equifax product? Will Equifax reimburse me if I buy another product?

Equifax will not reimburse consumers for the cost of a different product.

The website where I enrolled in the TrustedID Premier product has the Equifax name on it, but the URL and emails I’m receiving all say TrustedID. What is the relationship between TrustedID and Equifax?

In 2013, Equifax acquired TrustedID, a company that offers credit file monitoring and identity theft protection products. We want to reassure all consumers going through the enrollment, scheduling and activation process that the TrustedID name in the URL and in the email address are valid.

I was recently a victim of a data breach with another company and have credit monitoring with another company. Is that enough, or do I need to take Equifax up on its offer?

If you have complimentary credit monitoring and identity theft protection as a result of another cybersecurity incident, it is your choice whether to enroll in TrustedID Premier.

Credit Reports/Credit Monitoring

If I lock my Equifax credit report, can anyone still access it?

When you lock your Equifax credit report, access continues to be allowed for certain requestors, including: sources reviewing your application for employment; companies that have a current account or relationship with you; collection agencies acting on behalf of those whom you owe; resources that wish to make pre-approved offers of credit or insurance; fraud detection and preventive purposes; applications for insurance; and federal, state, and local government agencies.

Should I place a security freeze on my Equifax, Experian and TransUnion credit reports?

If you are interested in placing a security freeze on your Equifax, Experian or TransUnion credit reports, please refer to the consumer notice on www.equifaxsecurity2017.com, which outlines the contact information and process.

How will I know when I have a credit monitoring alert?

Credit monitoring alerts are generated when certain changes to your credit reports occur. They are available within your TrustedID Premier product. In addition, you may customize your alert preferences at any time to receive notifications about new alerts by email and text message. Please note that standard message and data rates may apply.

Is it possible that I won’t receive 3-Bureau credit file monitoring?

Yes. There may be instances when your credit file cannot be monitored at one or more of the credit bureaus. You will receive monitoring at the credit bureaus where your credit file exists and can be monitored.

I just received my free Equifax credit report from annualcreditreport.com. Will I be entitled to an additional copy of my Equifax credit report?

If you choose to enroll in TrustedID Premier, you will have access to copies of your Equifax credit report.

Call Center

It’s taking me a long time to get through to the call center. Why is this?

We are experiencing high call volumes, and we are working diligently to respond to all consumers. We recommend that you visit our website at www.equifaxsecurity2017.com to find more information. You may also try back after 5:00 p.m. Eastern time when call volumes may be lower. For your convenience, we are available from 7:00 a.m. until 1:00 a.m. Eastern time, 7 days per week.

I called the call center number and am getting a fast busy signal?

We are experiencing high call volumes, and we are working diligently to respond to all consumers. We recommend that you visit our website at www.equifaxsecurity2017.com to find more information. You may also try back after 5:00 p.m. Eastern time when call volumes may be lower. For your convenience, we are available from 7:00 a.m. until 1:00 a.m. Eastern time, 7 days per week.

Will Equifax be able to assist consumers in Spanish?

Yes, Equifax call center agents have Spanish-speaking capabilities.

Will Equifax be able to assist consumers who are hearing impaired?

Yes, Equifax call center agents are able to assist consumers who are hearing impaired.

General

How did you detect the intrusion?

During routine monitoring, Equifax detected anomalous outbound traffic believed to be suspicious from an online U.S. consumer portal.

Do you know which parts of Equifax’s network may have been exposed?

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Why didn’t Equifax detect the vulnerability? Or the intrusion?

Equifax is conducting an investigation relating to those issues.

How do I know if I’ve been a victim of identity theft? What are some red flags I should look for?

We recommend that consumers monitor their personal information and visit the Federal Trade Commission’s website, www.ftc.gov/idtheft, to obtain information about steps consumers can take to better protect against identity theft as well as information about fraud alerts and security freezes.

Will someone from Equifax contact me by phone?

You will only be called if you have left a message with the call center. Otherwise, you will not be called by Equifax and should not provide personal information to anyone who calls you or sends you a message about this incident.

My bank notified me that my account has been improperly accessed. What should I do?

If you believe that your bank account has been compromised, please work with your local financial institution and local law enforcement agencies.

What is Equifax going to do to help me?

To determine if your personal information may have been impacted, please visit www.equifaxsecurity2017.com. Equifax is offering credit file monitoring and identity theft protection, which includes 3-Bureau credit monitoring of your Equifax, Experian, and TransUnion credit reports; copies of your Equifax credit report; the ability to lock and unlock your Equifax credit report; identity theft insurance; and Internet scanning for your Social Security number – all complimentary to U.S. consumers for one year.

I submitted a dispute earlier this year during the timeframe referenced. Did this incident impact my dispute?

We do not believe that this incident has impacted the dispute resolution process.

Should I be concerned about the personal information of my deceased spouse/relative?

If you are concerned about the personal information of your deceased spouse/relative, please notify the Social Security Administration. The Social Security Administration will notify the nationwide credit reporting agencies, which will place a notation on the deceased’s credit file.

I’ve never signed up for Equifax services, why do you have my information?

As a nationwide consumer reporting agency, Equifax receives information from a variety of businesses and other sources.

Do I need to file a police report?

If you believe you are the victim of identity theft, you should contact the appropriate authorities, including local law enforcement.

Should I contact any other government agencies?

If you believe you are the victim of identity theft, you should contact the appropriate authorities, including local law enforcement.

I want to dispute inaccurate information on my credit file. How do I do this?

For more information about how to dispute information on your Equifax credit report, please visit our online dispute page at www.equifax.com/personal/disputes.

If I encounter identity theft as a result of this cybersecurity incident, who will cover the expenses for any costs I might incur?

As part of your TrustedID Premier product, you will receive identity theft insurance up to $1 million. The identity theft insurance provided in TrustedID Premier is underwritten by American Bankers Insurance Company of Florida or its affiliates. This description is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions and exclusions of coverage. Coverage may not be available in all jurisdictions.

Can you help me cancel my existing Equifax credit monitoring subscription/service?

If you have an existing subscription to an Equifax credit monitoring product, you may elect to cancel your existing subscription and enroll in TrustedID Premier. To do so, you will need to log into your current product and proceed with the cancellation process, which can be found in the Manage Billing portion of your online account.

For International Consumers

Was my data impacted by this incident?

As part of its investigation, we have identified unauthorized access to limited personal information for certain UK and Canadian residents. We are working with regulators to determine next steps.

What should I do if I am a consumer in the United Kingdom or Canada?

We are working with our regulators to determine next steps.

Do you have an estimate of the costs you expect to incur related the cybersecurity incident, including timing? Does Equifax have cyber insurance and to what extent will it offset the financial impact of this incident?

At this time, it is too early for us to provide specific estimates of the costs we expect to incur related to the cybersecurity incident. The most significant near-term costs expected to be incurred will be delivering our TrustedID Premier identity theft protection and credit file monitoring product for a period of 12 months to consumers who enroll. In addition, Equifax will incur legal, forensic consulting and other costs related to the incident. Equifax carries cybersecurity, crime, general liability and other lines of insurance, and we have begun discussions with our carriers regarding the incident.

How will you disclose the costs related to the cybersecurity incident in your financial statements and public filings?

Equifax will separately disclose costs specifically related to this cybersecurity incident, as well as any insurance reimbursements that offset these costs. These costs and reimbursements will be treated as non-GAAP items in our presentation of Adjusted EPS and Adjusted EBITDA margin. The timing of the accrual for or incurrence of related costs may differ from the timing of recognizing insurance reimbursement for those costs.

Do you expect this cybersecurity incident to impact your long term financial model?

Equifax remains committed to delivering on the long term financial model of 7-10% revenue growth and 11-14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers.

Are you expecting any near term impact to your financial results from the cybersecurity incident?

We do expect some disruption to our business, as we focus on completing the detailed investigation of this event, taking the steps needed to minimize the likelihood that this type of incident will happen again, and working with customers to address their concerns and maintain their trust as a leading supplier of consumer data and analytics. We also expect impacts to our Global Consumer business as it focuses on delivering TrustedID Premier to US consumers. We will provide a further update on our 3Q17 earnings call in October.

Does this cybersecurity incident impact your capital allocation priorities going forward?

Our capital allocation priorities are unchanged at this time. As we have previously indicated, our investment priorities in order of importance are: (1) internal investment; (2) dividends; (3) acquisition; and (4) share repurchase. We do, however, expect to increase our capital spending in an effort to further accelerate IT infrastructure, systems and data security and resiliency improvement actions.

When was the Board made aware of the incident? What has their involvement been?

We promptly informed the Board upon learning the potential scope of the incident and have engaged them since then in regular discussions.

Are you still planning to attend sell-side conferences scheduled for the remainder of the year?

Yes, investors are an important constituency and we intend to continue a high level of accessibility and participation in conferences, NDR’s and other meeting requests.