tadamichi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Equifax breach worsens, additional consumer data exposed

The Equifax breach compromised even more consumer data, including tax identification numbers, than originally reported. But the credit rating agency didn't disclose the update.

Equifax acknowledged its 2017 breach exposed more consumer data than it previously claimed, raising questions about why it didn't inform the public of the expanded scope of the incident.

The Equifax breach, which was first disclosed in September, exposed the personal information of over 145 million consumers. The credit-reporting giant said then that the compromised data included customers' names, Social Security numbers, birthdates, addresses, and some driver's license and credit card numbers.

But according to a report from the Wall Street Journal, a document Equifax submitted to the Senate Banking Committee revealed even more types of data were compromised. Most notably, the document said consumers' tax identification numbers, email addresses and driver's license information beyond the numbers were also exposed.

The original Equifax breach disclosure also said 143 million U.S.-based consumers were affected, but later revised that and said an additional 2.5 million consumers were affected, not including the hundreds of thousands of consumers affected in the U.K.

The revised number was made public in October after Equifax completed its internal investigation into the data breach, which was led by security vendor Mandiant. Equifax spokesperson Meredith Griffanti told SearchSecurity the investigation "uncovered everything," including the exposed tax identification numbers.

However, the full extent of the consumer data compromised in the Equifax breach was never directly disclosed by the company and wasn't made public until the Wall Street Journal's report last week. Griffanti told SearchSecurity that the number of affected consumers has not risen -- it remains at 145.5 million. "We're not trying to downplay anything," Griffanti said, adding that media coverage of this discovery has been "misleading."

Griffanti emphasized the original press release put out by Equifax said "information accessed primarily includes" Social Security numbers, birthdates and addresses.

"The information we've given to the public has stayed consistent," Griffanti said. "We had no intention of being inconsistent."

The full list of exposed data was only provided to the Senate Banking Committee. The exact date the document was submitted to the Senate Banking Committee is unclear, though a letter from Sen. Elizabeth Warren (D-Mass.) said it was submitted in "early 2018."

Warren also recently released a scathing report following her five-month investigation into the Equifax breach response. In the report, Warren criticized Equifax's handling of earlier disclosures about the breach, including the original notification process.

The breach occurred in May 2017, but Equifax didn't notice until July, and then didn't publicly disclose it until September.

"By failing to provide adequate information in a timely fashion, Equifax robbed consumers of the ability to take precautionary measures to protect themselves, materially injured investors and withheld market-moving information, and prevented federal and state governments from taking action to mitigate the impacts of the breach," Warren wrote in the report.

Equifax came under widespread criticism for its handling of the data breach. Beyond the time it took to alert the public to the security incident, the company also came under fire for what happened after the breach. For example, a website Equifax set up to help worried consumers figure out if their data was exposed in the breach was itself targeted by drive-by download attacks.

In addition, lawmakers criticized Equifax's breach response during a hearing for the Senate Committee on Commerce, Science, and Transportation in which interim CEO Paulino do Rego Barros Jr. admitted he didn't know if the company was currently encrypting consumer data.

Griffanti said the website was, and still is, the most secure way for consumers to check to see if their information has been compromised, though it hasn't been updated since October 2017 and doesn't include information about consumers' tax identification numbers and email addresses being exposed.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about these new reports regarding the Equifax breach? Are you worried about your data?

These are good questions. Hopefully, there will be some legislation in the future to control this type of data collection, or at least to secure it better.

Quite worried. But I am even more worried about why it is that these companies have this extra-legal power to even gather our personal information in the first place, without our consent. Ditto for the use of the SSN as a UID.

Equifax, TransUnion, Innovas, and Experian should frankly be put out of business altogether. The data they have is far too dangerous and the companies provably far too irresponsible to be trusted with it - especially since I never authorized them to have my personal data in the first place!

As for the a**-clowns responsible for leaving the Equifax servers unguarded, at minimum they should spend 10 years in a SuperMax and pay $10Million fine. Were it up to me, they'd be lined up against a wall and executed for their incompetence.

Like, "executed" as in shot and killed? That's a tad harsh. I'm in favorite of the corporate death penalty for egregious actions, but not, like the ACTUAL death penalty.
The earlier data loss is a death sentence for most security process.  The new revelations only have a modest impact and include a few additional unlucky people.  For those 145.5 million people, you are at constant risk of your taxes, credit, financial accounts being hijacked with little recourse back to source of incompetence.
Sadly, this is very true. Equifax should at least take responsibility for leaving that many people at such a high level of risk that will last their entire lives.
Credit information are the crown jewels of the US consumer. With it, one could imagine a thief easily committing fraud against a consumer, from opening bogus credit accounts to filing false tax returns. Credit companies have known they are likely targets for sophisticated, ongoing hacking attempts. Clearly we are now living in an era where there is no longer any excuse for keeping customer data in an unencrypted format.
Good point. Encryption is of the utmost importance, though it should be only one part of a multifaceted security program.