Equifax filing reveals hack was somehow even worse than previous estimates

The 2017 hack of Equifax, already among the largest ever recorded, just got bigger. Well, they’re admitting that it was bigger than they had previously, which amounts to the same thing. Documents filed with the SEC reveal that more people, more IDs, and more info in general was stolen when the company utterly failed to protect its “users,” many of which didn’t even know they were in the database.

The company revealed various numbers around the time it disclosed the hack, though one it neglected to include was how many millions of dollars in stock were sold by executives before publicly disclosing it. But let’s not linger on their past crimes. I’m sure they’re very sorry!

Amanda Werner, dressed as Monopoly’s Rich Uncle Pennybags, sits behind Richard Smith, CEO of Equifax, during a Senate hearing.

Today’s information was filed with the Securities and Exchange Commission as part of the company’s disclosures regarding the hack. It provided first a handy table listing what was stolen as raw strings of data from Equifax’s inadequately protected databases:

  • Full name: 146.6M
  • Date of Birth: 146.6M
  • Social Security number: 145.5M
  • Full address: 99M
  • Gender: 27.3M
  • Phone number: 20.3M
  • Driver’s license number (incl. 2.4M partials): 17.6M
  • Email address: 1.8M
  • Credit card numbers (with expiration dates): 209,000
  • Individual Tax Identification Number (ITIN/Tax ID): 97,500
  • Driver’s license state: 27,000

Previous estimates of driver’s license numbers leaked were around 10.9 million, and total affected put at 143 million. Sure, the difference between 143 million and 146.6 million is relatively small, but it’s still 3.6 million people.

Secondly the filing includes a table listing images stolen by the attackers. These were “uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers,” the document says.

  • Driver’s license: 38,000
  • Social Security of Taxpayer ID Card: 12,000
  • Passport or Passport Card: 3,200
  • Other: 3,000

It’s unclear why these don’t add up to 182,000, but the images could also have been non-valuable things like forms or pictures of assets.

Imagine the kind of havoc you could wreak with even a few isolated data points from this set. Phishing teams and other scammers must be having the time of their lives: with so much official data to use, it’s that much easier to convince someone that a service or email is legitimate. Images of licenses and passports could lead to more sophisticated fraud at borders or in other government situations as well.

<a href=”https://techcrunch.com/tag/equifax-hack/” target=”_blank” rel=”noopener”><img src=”https://techcrunch.com/wp-content/uploads/2017/09/eq-uifax-hack-banner.png” /></a>

Equifax launches its credit locking app and extends free credit freezes through June

 Today was supposed to be the deadline for Equifax’s free credit freeze offering, but the company has decided to extend the service to consumers for another five months. Now, Equifax customers can request a credit freeze through June 30.
Still, January 31 is the last day to cash in on free credit monitoring through Equifax’s TrustedID Premier program, assuming you still trust the… Read More

Senators push to ditch social security numbers in light of Equifax hack

 Eyeing more secure alternatives to social security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon Chief Privacy Officer Karen Zacharia, and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that social security numbers have got to… Read More

Equifax hack included nearly 11 million US driver’s licenses

 The latest news from the enormous Equifax hack is that the stolen records included 10.9 million driver’s licenses from U.S. citizens, according to the Wall Street Journal’s sources. This isn’t much of a surprise given how poorly all the other information was secured, but it’s nice to put a number on just how many of various personal documents Equifax’s poor… Read More

Chatting corporate greed with Mr. Monopoly, hero of the Equifax Senate hearing 🎩💸

 In a particularly dark week for America, one ray of hope shone bright, its monocle glinting bravely in the harsh media flash. Enter Rich Uncle Pennybags, the board game fat cat better known as the Monopoly man, who made a high-profile appearance at today’s Senate hearing on the Equifax hack. Read More

Former Equifax CEO says breach boiled down to one person not doing their job

 In a continued effort to pass on any responsibility for the largest data breach in history, Equifax’s recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache’s Struts software… Read More

Far Fewer Canadians Hit By The Equifax Hack Than Originally Thought

Credit cards, a chain and an open padlock is seen in front of displayed Equifax logo in this illustration taken September 8, 2017.

Equifax Inc. said Monday that it has revised down the number of Canadians affected by its high-profile data breach and now puts the number at about 8,000 customers.

The company previously estimated that some 100,000 Canadians could have had their personal information compromised before a forensic review by cybersecurity firm Mandiant found the actual number to be much lower.

The review adds about 2.5 million Americans to the list of those affected by the massive cyber attack, bringing the total number of people in the U.S. potentially impacted to 145.5 million.

Credit reporting company Equifax  Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017.

Equifax says the review also determined that some Canadians had their credit card information hacked and will be mailing out written notices to all potentially impacted Canadians, but did not provide a specific estimate.

On a website update, Equifax’s Canadian division said it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.

Equifax first notified the public of the security breach on Sept. 7, though it said the unauthorized access is thought to have happened from May 13 to July 30, with Equifax’s security team catching the hack on July 29.

The company has said that it believes that hackers accessed Equifax Canada’s systems through a consumer website application intended for use by U.S. consumers.

High-profile departures in wake of breach

Equifax is facing investigations in Canada and the U.S., as well as at least two proposed class actions filed in Canada.

The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.

​​​​​​Also On HuffPost:

San Francisco sues Equifax on behalf of 15 million Californians affected by the breach

 Equifax is not only in deep for a class-action lawsuit over a breach exposing 143 million U.S. citizen’s social security numbers and a subpoena in New York, it’s now being sued by the city of San Francisco. S.F. City Attorney Dennis Herrera filed the lawsuit against the credit reporting agency in San Francisco Superior Court for “failing to protect the personal data of more… Read More