Equifax hackers may have stolen more data than originally revealed

A document submitted by Equifax to the Senate Banking Committee shows attackers may have also stolen tax ID numbers, additional driver’s license and credit card details, email addresses and phone numbers.

Equifax hackers may have stolen more data than originally revealed
Tami Chappell/Reuters

Attackers possibly made off with even more data from the Equifax hack than the public has been told.

Last year, the credit reporting company admitted that the personal information, such as names, Social Security numbers, birth dates, addresses and some driver’s license and credit card numbers, of 145.5 million consumers had been compromised in a breach. But a document submitted by Equifax to the Senate Banking Committee revealed that attackers may have also stolen tax identification numbers, additional driver’s license and credit card details, as well as email addresses and phone numbers.

On Feb. 9, after The Wall Street Journal reported that the hack might have been worse than the public was led to believe, Sen. Elizabeth Warren (D-Mass.) sent a letter (pdf) demanding that Equifax finally reveal the full extent of the breach.

As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?

Equifax has been busy trying to downplay the additional types of data accessed in the massive breach. As for not fully disclosing the “insignificant” number of email addresses, the company told the WSJ that it had complied with regulatory requirements, since email address are often publicly accessible and not sensitive information.

Equifax told CNN Money that “the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information.”

The Associated Press reported Equifax spokeswoman Meredith Griffanti as saying, “In no way did we intend to mislead consumers.”

Griffanti also said that while the list provided to the committee includes all the potential data points that may have been accessed by criminals, those elements impacted a minimal portion of consumers. And some data — like passport numbers — were not stolen. The company reiterated that the total number of consumers affected is unchanged.

“When you are making that kind of announcement, where do you draw the line? If you saw the list we provided the banking finance committee it was pretty exhaustive,” Griffanti said. “We wanted to show them that no stone was left unturned.”

Not at all appeased, Sen. Warren pointed out that her five-month investigation into the breach “revealed the depth of the breach and cover-up at Equifax.” She called the Equifax hack “one of the largest and most significant data security lapses in history.”

Sen. Warren’s report (pdf) covered how Equifax’s lax security failed to protect people’s data, how the company took its sweet time after the breach to come up with what it would tell the public, and how it abused federal contracting loopholes in an attempt to force the IRS into a contract in which Equifax would “protect” sensitive taxpayer data.

It also highlighted the absolute fail of the website, which was neither secure nor consistently helpful, set up by Equifax to help people determine if their data was accessed. Equifax later blamed the site’s problems on a vendor’s software code.

Equifax’s list of ‘accessed’ data

The New York Post reported that Equifax’s list of “accessed” data included “passport numbers; Social Security numbers; first, last, and middle names and suffixes; gender; home addresses and phone numbers; driver’s license numbers, including the date the license was issued and the state issuing them; date of birth; credit card numbers, their expiration date and “CV2” security numbers; tax ID numbers; and email addresses.”

On Feb. 9, Sen. Warren noted:

Among the types of PII Equifax listed in these “attacker-accessed tables” were Tax ID numbers, e-mail addresses, and passport number. The Wall Street Journal report confirmed that the hackers did access almost of these data elements –all of which were reported to the Senate Banking Committee. Except now Equifax is claiming that passport numbers were not compromised — despite telling the Banking Committee that they were part of the attacker-accessed tables.

Experts warn that the additional information stolen from Equifax, such as the state that issued the driver’s license and the expiration data and security code on credit cards, make it that much easier for cyber thugs to abuse.

“The more information scammers have about you, the easier it is for them to impersonate you,” Lauren Saunders, associate director at the National Consumer Law Center, told CNN Money. “And the easier it is for them to get by the protocols that banks and others use to make sure they are dealing with the right individual.”

This is also a good time to remind you to file your taxes ASAP before some thug potentially tries to use your information to scam the IRS.

NEW! Download the Fall 2018 issue of Security Smart