The Daily Swig Web security digest

Equifax hack: More consumer data exposed than previously reported

James Walker | 12 February 2018 at 14:48

Tax ID numbers, email addresses, and phone numbers added to the hit list.

It’s now been five months since Equifax dropped the corporate bombshell that the personal details of more than 145 million individuals had been compromised – but the dust is far from settling on last year’s biggest hack.

As the US consumer protection bureau faces accusations of putting the brakes on the Equifax breach investigation, newly-obtained documents indicate that criminals gained access to more information than previously reported.

After discovering unauthorized access to its systems last July, Equifax went public with the breach on September 7.

The Atlanta-based credit rating agency confirmed that customer names, social security numbers, birth dates, addresses, and – in some instances – driver’s license numbers and credit card numbers had been compromised.

It now seems that the dataset has been expanded further, as Equifax is reported to have disclosed to the Senate Banking Committee that a forensic investigation found criminals accessed other information from the company’s records.

According to a document handed to the Wall Street Journal and the Associated Press by Senator Elizabeth Warren’s office, tax identification numbers, email addresses, and phone numbers were also compromised in the hack.

Further details, such as the expiration dates for credit cards and issuing states for driver’s licenses, were also included in the list, the Associated Press said.

“Equifax’s disclosure, which it has not made directly to consumers, underscores the depth of detail the company keeps on individuals that it may have put at risk,” said the AP’s Sarah Skidmore Sell.

“And it adds to the string of missteps the company has made in recovering from the security debacle.”

The latest development to the ongoing Equifax saga comes as the Consumer Financial Protection Bureau (CFPB) has itself come under fire for reportedly pulling back from a full-scale probe into the data breach.

A report in Reuters last week cited three unnamed sources as stating that CFPB Mick Mulvaney has failed to order any subpoenas against Equifax or sought sworn testimony from its executives – routine steps when launching an investigation.

These allegations have not escaped the attention of New York State Attorney Eric Schneiderman, who said his office will continue to push for answers.

Senator Warren, who last month introduced the Data Breach Prevention and Compensation Act in an effort to hold large credit reporting agencies accountable for data breaches, said Equifax’s initial admission last September was “just the beginning of the nightmare”.

Democratic Senator Sherrod Brown said the allegations were the latest in a pattern of the CFPB “turning its back on consumers” since Mulvaney took charge.

“Refusing to investigate a data breach that put 145 million Americans at risk is malpractice,” the senator stated. “Once again, Mr Mulvaney has made clear he will always side with special interests over the consumers who count on CFPB for help.

“The Administration needs to swiftly nominate a CFPB director who will protect consumers instead of letting well-connected corporations walk away scot-free.”