Equifax releases more information about 2017 data breach

New figures reveal the true scope of last year’s biggest security scandal

More details about one of the most expensive corporate breaches were revealed yesterday, as Equifax continues its back and forth with US Congress over its 2017 security incident that affected at least 146 million people.

The credit reporting agency announced that it had sent further information to several US congressional committees regarding the type of data that was stolen from the cyber-attack that the company was made aware of in July 2017.

Attackers were able to access approximately 38,000 driver’s licenses and 3,200 passports, the newly submitted documents said.

The overall number of individuals thought to have had their personally identifiable information compromised did not change, but this was broken down to include 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million addresses, and 209,000 payment card details.

Most victims were based in the US, with almost 700,000 located in the UK.

Federal investigators have pledged to take legal action against Equifax, which has so far only seen charges brought against Jun Ying, a former CIO, for insider trading prior to the company’s breach disclosure in September 2017.

In the six months since then, more than 20,000 complaints have been sent to the Consumer Financial Protection Bureau (CFPB) regarding how the company has handled the incident.

US Senator Elizabeth Warren, who, among others, has been championing a consumer focused reform to US data security laws, recently outlined in a letter to CFPB that these complaints were crucial in ensuring the prevention of further occurrences and rebuilding trust with credit bureaus.

It said: “Thousands of consumers reported to CFPB on improper use of credit reports, incorrect information on credit reports, inadequate assistance in resolving problems, and problems with Equifax credit monitoring, fraud alerts, and security freezes in the wake of the breach.

“This report provides strong evidence that the CFPB must hold Equifax accountable and act quickly and decisively to protect the millions of consumers harmed by the breach.

Equifax highlighted a $242.7 million so far spent on the data breach in its latest Q1 earnings report, with $60 million having been covered by insurance up until now.

The company also reported a $865.7 million in revenue – a 4% increase from Q1 of 2017.

As an abundance of draft legislation passes through Congress on how companies should report a data breach, Equifax maintains that its actions in notifying consumers were satisfactory in that it was not made aware of the stolen personally identifiable information – such as social security numbers – right away.

Equifax’s 2017 data breach was caused by the failure to patch a security flaw in the Apache Struts web application framework. The developer, Apache Software Foundation, issued a fix to the vulnerability in March 2017.