Equifax sends Congress more details on massive data breach

Credit reporting agency Equifax recently sent more details to Congress about its massive data breach last year, which impacted over 145 million Americans. 

The statement, which breaks down the numbers of U.S. consumers who had specific types of personal information stolen, comes eight months after Equifax first disclosed that hackers had breached its system — a revelation that spurred intense scrutiny in and outside Washington.

{mosads}In particular, Equifax confirmed to congressional lawmakers that approximately 145.5 million U.S. consumers had their Social Security numbers stolen by hackers, while over 200,000 had their credit card data stolen.

Equifax revealed that the company had provided additional information to multiple congressional committees in a filing with the Securities and Exchange Commission (SEC) submitted on Monday. Lawmakers received the company’s statement on Friday, according to the filing.

“The statement provided additional detail on the data elements stolen in the cybersecurity incident related to those U.S. consumers and was made in response to, and as part of the Company’s ongoing cooperation with, government requests for information,” Equifax wrote. 

The company emphasized that the new information “does not identify additional consumers affected and does not require additional consumer notifications.”

According to filing, hackers accessed names and birthdates of roughly 146.6 million U.S. consumers; Social Security numbers of 145.5 million; addresses of 99 million; gender of 27.3 million; phone numbers of 20.3 million; driver’s license numbers of 17.6 million; email addresses of 1.8 million; payment card numbers and expiration dates of 209,000; TaxIDs of 97,500; and driver’s license states of 27,000.

Equifax also identified the numbers of specific government-issued identifications — such as driver’s licenses — that had been uploaded to the company’s dispute portal and were thus impacted in the breach. 

Equifax said that hackers accessed photos of 38,000 driver’s licenses, 12,000 Social Security or taxpayer ID cards, 3,200 passports, and 3,000 other documents including military IDs or state-issued IDs. 

Equifax also said that the company hired cybersecurity firm Mandiant, a subsidiary of FireEye, to help with the forensic analysis following the breach. 

The credit reporting firm created a media firestorm when it revealed on Sept. 7 that a “cybersecurity incident” had resulted in hackers making away with sensitive personal data on as many as 143 million U.S. consumers — nearly half the U.S. population. Equifax has since updated the total of American breach victims to more than 147 million.

Lawmakers on Capitol Hill have clamored for more information about the breach, including why it took the company so long to disclose the breach when the activity was first detected at the end of July. Richard Smith, the company’s former CEO who was forced to resign amid the controversy, faced a grilling before multiple House and Senate committees over several days last October.

The revelation also prompted multiple state investigations and lawsuits, as well as an SEC probe into top executives at the company who allegedly sold millions in company stock before the breach was publicly revealed. 

In March, the SEC charged Jun Ying, Equifax’s former chief information officer, with insider trading.

“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators,” Equifax said in its recent statement to Congress. “It does not anticipate identifying further impacted consumers.”