We thought it couldn’t get any worse, but once again, we were wrong.
The Equifax data breach exposed far more information about consumers than we had been led to believe.
The full scope of the massive hack has emerged just this week because the credit-reporting agency disclosed it to the Securities and Exchange Commission in a filing. What is revealed is that the company has once again revised the number of people affected, as well as made some new admissions.
In September 2017, the Atlanta-based company told the public that millions of people may have had their personal data exposed when “criminals” hacked a website application vulnerability.
The company initially said that names and Social Security numbers were involved in the data breach. But much of the other information, like how many driver’s license numbers were exposed, was played down.
For example, in February, Equifax denied that passports were part of the treasure trove of personal info that criminals made off with last year, when as many as 148.5 million people had their data exposed. In the SEC filing, Equifax says passports were indeed part of the illicit catch.
In their “Statement For The Record,” disclosed Monday, Equifax said, “As a result of its analysis of the standardized data elements, including using data not stolen in the attack, the company was able to confirm the approximate number of impacted U.S. consumers for each of the following data elements: name, date of birth, Social Security number, address information, gender, phone number, driver’s license number, email address, payment card number and expiration date, TaxID, and driver’s license state.”
Here is what Equifax said the thieves stole in the data breach, along with the number of people affected:
|Name||First Name, Last Name, Middle Name, Suffix, Full Name||146.6 million|
|Date of Birth||D.O.B.||146.6 million|
|Social Security Number2||SSN||145.5 million|
|Address Information||Address, Address2, City, State, Zip||99 million|
|Phone Number||Phone, Phone2||20.3 million|
|Driver’s License Number3||DL#||17.6 million|
|Email Address (w/o credentials)||Email Address||1.8 million|
|Payment Card Number and Expiration Date||CC Number, Exp Date||209,000|
|Driver’s License State||DL License State||27,000|
“Separately from the elements described above … the attackers also accessed images uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers,” the company told the SEC. Equifax said that between October and Decemer 2017, it notified all consumers affected by the image heist.
Equifax said that because some consumers may have uploaded government-issued identifications through their portal, they didn’t initially analyze the images. But they have manually reviewed them since then. Here is the type and approximate number of images the hackers were able to access:
- Driver’s License images —38,000
- Social Security or Taxpayer ID Card images — 12,000
- Passport or Passport Card images — 3,200
- Other images (military IDs, state-issued IDs, resident alien cards) — 3,000
After more than eight months of wrangling, Equifax said it “believes it has satisfied applicable requirements to notify consumers and regulators. It does not anticipate identifying further impacted consumers.”
Understandably, you may feel uneasy about the load of personal information that may be in the hands of crooks and hackers. But there’s something you can do about it.
Money expert Clark Howard recommends a two-pronged approach to protecting yourself (and, in fact, advised consumers to do this even before the Equifax breach). Here’s what to do:
- Sign up for a Credit Karma or Credit Sesame account to get free credit monitoring and be notified when anyone tries to access your personal info. Here’s a step-by-step rundown of how to do it.
- Freeze your credit at the three major credit-reporting bureaus. Here’s an in-depth guide on how to contact Equifax, TransUnion and Experian to freeze your accounts.
Aside from congressional committees, Equifax has largely escaped federal scrutiny. But on the local level, states are trying to put safeguards in place. Here’s how to contact your own representatives.