Equifax's massive 2017 data breach screwed over more than 140 million people, so it was not terribly surprising when tens of millions of people jumped at the opportunity to claim cash money in compensation. The Federal Trade Commission, however, apparently was surprised. A few days after the settlement claims page went public, the option for affected consumers to claim cash vanished, with the agency citing "overwhelming" and "unexpected" public response.

Sen. Elizabeth Warren (D-Mass.) is now among the many who were frustrated by the FTC's apparently questionable description of the settlement, and she's calling on the agency to investigate its own claims about available consumer compensation.

"The FTC has the authority to investigate and protect the public from unfair or deceptive acts or practices, including deceptive advertising," Warren says in a letter (PDF) to the commission's inspector general. "Unfortunately, it appears as though the agency itself may have misled the American public about the terms of the Equifax settlement and their ability to obtain the full reimbursement to which they are entitled."

The page on which consumers could file claims, as well as all the FTC's public statements about the settlement, originally said breach victims could sign up for "free credit monitoring OR $125" if you already have credit monitoring services and declined to enroll. The "alternative compensation fund" from which that $125 would come, however, was capped at $31 million⁠—only enough for 248,000 people, or about 0.2% of affected consumers, to receive the full amount.

That cap was not mentioned in the FTC's initial press release, nor was it made clear in the claim form, Warren points out. "These pages did not inform consumers that the cash payment was subject to⁠—and in fact was very likely to be⁠—severely reduced." It took about a week after the settlement was announced for the commission to change its tune, warning consumers in an almost passive-aggressive way that claimants would get "nowhere near the $125 they could have gotten if there hadn't been such an enormous number of claims filed."

Warren asks the inspector general to "determine how the FTC made a series of decisions that will result in millions of Americans receiving only a small amount of the $125 they believe they are owed as remuneration for Equifax's failures" and provides a list of questions the IG can tackle, starting with why the FTC notified the public about the $125 in the first place and who made that decision.

Why was the cash option so popular?

An FTC spokesman told Ars last month that the settlement "was designed with the 10-year credit monitoring product as the primary source of relief for affected consumers because it was viewed as the best source of future protection from identity theft."

Aside from the allure of "free" money simply sounding great to millions of people, however, consumers have good reason to opt for the lump sum instead of the credit monitoring: they've probably already got more free credit monitoring than they can ever use and will keep being offered more.

It's now standard practice for a company on the wrong end of a data breach to offer at least a year of free credit monitoring services to affected customers⁠—and that list of "affected customers" basically includes everyone at this point. Data compiled by the Identity Theft Resource Center finds that while almost 198 million total records were exposed in hacks, breaches, and leaks in 2017, that number more than doubled to more than 446 million in 2018. Simply having an email address, going shopping, applying for a job, having health insurance, or basically existing at all as a modern consumer, as in the case of Equifax, leaves your data vulnerable.