On May 7, executives of Equifax submitted a “statement for the record” to the Securities and Exchange Commission detailing the extent of the consumer data breach the company first reported on September 7, 2017. The data in the statement, which has also been shared with congressional committees investigating the breach, reveals to a fuller extent how much personal data was exposed in the breach.
Equifax had already reported that the names, Social Security numbers, and dates of birth of 143 million US consumers had been exposed, along with driver’s license numbers “in some instances,” in addition to the credit card numbers of 209,000 individuals. The company’s management had also reported “certain dispute documents” submitted by about 182,000 consumers contesting credit reports had been exposed as well, in addition to some information about British and Canadian consumers.
But the exact details of the nature of these documents and information had not been revealed, in part because Equifax felt it did not have a legal obligation to disclose those details. “With respect to the data elements of gender, phone number, and email addresses, US state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access,” Equifax’s management asserted in the SEC letter.
Of the 146.6 million individuals affected by the breach:
In addition, Equifax provided more detail about the “dispute documents” that were stolen in the breach. These were personal identity documents uploaded as images to Equifax:
The stolen data did not come from a single, centralized database but from a collection of disparate databases associated with Equifax’s Web applications and payment systems. “As earlier statements made clear,” Equifax’s letter stated, “the company’s forensics experts found no evidence that Equifax’s US and international core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyber attack.”
Because the databases stolen did not have a consistent schema, Equifax’s forensic investigation team (with the assistance of a team from Mandiant) had to map the database fields to standard data elements in order to “determine the impacted consumers and Equifax’s notification obligations.”
Equifax did not share information in the letter about the correlation between the data elements exposed, so there’s no way to tell how many individuals had multiple types of personal data stolen. But name, address, Social Security number, date of birth, and driver’s license numbers are enough on their own to do significant damage through identity theft. And the combination of that data with email addresses and phone numbers exposes millions to potential “spear phishing” and phone scams.
Equifax has offered credit protection services to individuals affected by the breach. But the company badly bungled its early communications with victims, including sending communications that directed consumers to a fraudulent website. Then they did it again, sending consumers to a site with a fake “Adobe Flash update” malware downloader.