Nearly half the US woke up Friday to find out their Social Security number might have been stolen, thanks to hackers who breached the database of a top credit monitoring service.
Equifax is one of three major credit monitoring companies, which victims of data breaches typically turn to for protection. Now, a breach at the company has exposed the Social Security numbers, names, addresses and birth dates of up to 143 million people in the US alone. Folks in Canada and the UK have also been affected.
About 209,000 people had their credit card information stolen as well. The Federal Trade Commission has advised people to monitor their accounts closely, and to place a fraud alert on all their files. The massive number of victims has prompted a lot of questions.
Don't fret though. We'll look at the legal situation below. And in CNET's How To section, you'll find a general guide for those who think they might've been nailed by the breach.
Can I sue Equifax?
Yes, either as part of a class action lawsuit or on your own.
It looked even more suspicious that the terms were changed on Wednesday, a day before the revelation of the hack.
"This agreement would only cover breaches committed by TrustedID, in its future monitoring," Rohback said.
This still sounds suspicious
It should. In July, the Consumer Financial Protection Bureau decided to ban companies from using arbitration clauses, pointing out that such clauses have prevented massive numbers of people from taking legal action.
New York's attorney general, Eric Schneiderman, on Friday wrote in a tweet that the arbitration clause was "unenforceable" and that his staff had demanded Equifax remove it.
Is anyone suing Equifax yet?
Actually, two lawsuits seeking class action status have been filed so far.
Michael Fuller is representing two Oregon residents who filed a suit Thursday, claiming Equifax failed to adequately protect the personal information of 143 million people. You can join the case by signing up on www.equifaxcase.com. The plaintiffs are seeking $70 billion in damages from Equifax over the breach.
Despite the massive payout, if successful, each victim would receive only $489, and that's before legal fees. That's how much your Social Security number, name, address and birthdate would be worth.
Still, "It could be the largest class action lawsuit ever filed," Fuller said. "It involves almost half the country."
Fuller has gotten so many calls about the lawsuit that he began redirecting people to their local attorney general's office.
Meanwhile, in Equifax's home state of Georgia, two plaintiffs have filed another suit against the company. The lawsuit alleges Equifax could have prevented the data breach, and that it failed to notify victims in a timely manner.
The plaintiffs are being represented by John Yanchunis, the lead counsel representing victims affected by the record-breaking breach of Yahoo. Yanchunis has also represented victims of breaches involving Target and Home Depot.
"Equifax contains one of the largest databases of consumer information and they should have been better prepared for any attempt to penetrate its systems," Yanchunis said in a statement.
Is the US government doing anything about this?
On Friday morning, Democratic Rep. Ted Lieu of California sent a letter to the House Judiciary Committee chair asking the committee to investigate the breach and why it took more than six weeks for Equifax to go public with the announcement.
Lieu is requesting that Congress call representatives from Equifax, TransUnion and Experian, the "big three" credit monitoring agencies, to testify on Capitol Hill about the breach and about how they protect their computer systems.
Democratic Sen. Mark Warner of Virginia, the vice chair of the Senate Intelligence Committee, criticized Equifax over its "profoundly troubling" breach and suggested new data protection policies for Congress to pass.
Equifax is also working with the FBI on the investigation.
In New York, the state attorney general's office announced a formal investigation into the Equifax breach.
Three Equifax executives, including its chief financial officer, sold shares in the company just three days after the breach was first discovered. The Securities and Exchange Commission didn't comment on whether it was investigating insider trading.
First published Sept. 8, 11:26 a.m. PT.
Update, 12:45 p.m. PT: Recasts story in light of Equifax's updated FAQ. Update, 2:32 p.m. PT: Changes made throughout for clarity and readability.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Logging Out: Welcome to the crossroads of online life and the afterlife.