Under extreme pressure on Friday, embattled Equifax folded on its “no-sue” demands.
The credit-monitoring company, which revealed on Thursday a massive cyberattack on its national database, took heat from a host of elected officials for offering to help victims of the attack — but only if they gave up their right to sue the Atlanta company.
Equifax said personal information, including Social Security numbers, on up to 143 million Americans were stolen in the May cyberattack.
The company, which said it discovered the hack in July, set up a special site to offer free credit monitoring to victims of the attack.
It is offering the service, called TrustedID, for a year.
But buried in the fine print of the site — and on a page that wasn’t immediately obvious — was an agreement that customers would “resolve all disputes” through “binding individual arbitration.”
In other words, if you get any help, you can’t sue us.
Sen. Elizabeth Warren (D-Mass.), who’s backed a government rule that would limit arbitration, tore into Equifax on Twitter.
“.@Equifax is forcing you to give up your right to join a class action against the company if you want their credit protection product,” Warren wrote. “That’s right: @Equifax fails to protect your data and then they demand you give up legal rights if you want to limit the damage they caused.”
New York Attorney General Eric Schneiderman separately opened an investigation into how the hack happened, and claimed that 8 million New Yorkers could be affected.
The pressure seemed to have worked on Equifax.
On Friday afternoon, the company quietly added to its Web site an FAQ that says its arbitration agreement applies only to TrustedID, and not the cyberbreach.
The hack appears to be one of the largest ever in history. The scope of the data that have been accessed — which includes birth dates, addresses, credit card numbers and driver’s license numbers — has the potential to ruin people’s credit and lead to a large scale of identity theft.
While Equifax claims that it is beefing up its cybersecurity, it also blamed the breach on a software flaw from a vendor.
Hackers were able to breach the company through a flaw in software created by the company Apache, Equifax said, according to Jeffrey Meuler, an analyst at Robert W. Baird, who said he was told as much in a phone call.
“My understanding is the breach was perpetuated via the Apache STRUTS flaw,” Meuler told The Post.
STRUTS is a widely available software system that’s used by many of the nation’s largest companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and Showtime — plus the Internal Revenue Service, according to lgtm, a software development group.
Equifax has not publicly said how the cyberattack happened.
STRUTS has been under attack by hackers since at least March, according to Ars Technica, which has reported on the software’s vulnerability.
Apache has put out several patches — or software fixes — for its STRUTS system since March. It’s unclear if the company had patched its systems since then.
Representatives for Equifax and Apache weren’t immediately available for comment.