Equifax has some serious questions to answer after the Senate Banking Committee analyzing documents from last year's massive data breach discovered that far more private data was stolen than first revealed.
The breach, announced last September, was originally said to have compromised the personal information of approximately 145.5 million U.S. consumers. The information accessed "primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers." In other words, pretty much everything that should have been hidden behind an number of firewalls, was made available to the dark net's highest bidder.
The additional information accessed by hackers include tax ID numbers as opposed to just Social Security numbers, email addresses, and more driver's license information than was previously disclosed by the company.
Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and drivers’ license information beyond the license numbers it originally disclosed. -WSJ
It is unknown how many of the 145.5 million people were exposed to the increased level of data theft, however the a company spokeswoman said that an "insignificant number" of email addresses had been compromised.
“We have complied with applicable notification requirements in the disclosure process,” the spokeswoman said, who added that email notices were sent to impacted consumers.
Equifax confirmed to the Wall st. Journal that additional drivers' license information had been accessed, including issue dates and states.
“Additional driver’s license information accessed other than the driver’s license number was extremely minimal” said the spokeswoman, adding that “anyone with a potentially affected driver’s license number” can look up their name on the Equifax website.
Massachussets Senator Elizabeth Warren (D-MA) released a report on the Equifax hack after the Banking Committee she sits on spent the last five months analyzing the breach.
"As your company continues to issue incomplete, confusing, and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?" the letter reads.
Warren's letter then issues four demands to Equifax:
1) A full and complete list of all data elements that Equifax has confirmed were accessed by hackers in the breach, and the number of individuals affected by the breach of these individual data elements. Please include information on when Equifax confirmed that taxpayer identification numbers, email addresses, and driver's license issue dates and states were accessed by the hackers.
2) A full and complete list of all data elements that Equifax has reason to believe may have been accessed by the hackers, the potential number of individuals potentially affected, and the status of Equifax efforts to confirm if they were or were not accessed.
3) A timeline of all Equifax efforts to determine the full extent of the breach, and summaries of any internal reports or information, or reports or information provided to Equifax by Mandiant or any outside entities describing the extent of the breach.
4) The process used by Equifax to inform members of the public that taxpayer identification numbers, email addresses, and drivers' license information has been breached.
Senator Warren and fellow committee member Sen. Mark Warner (D-VA) have concurrently introduced the Data Breach Prevention and Compensation Act, which will hold credit reporting agencies accountable for data breaches - fining them $100 for each customer who had one piece of personal data stolen, and $50 for each additional set of compromised data.
Had this law been in effect during the 2017 breach, it would have cost Equifax billions.
Following the disclosure of the hack, Equifax canned several executives, including CEO Richard Smith - who is set to receive an $18 million bonus. Smith was replaced by interim CEO Paulino do Rego Barros Jr.
In the weeks following, Mr. Smith and Mr. Barros appeared before congressional committees to discuss the breach; Mr. Barros stated that the company quadrupled spending on security and updated its security tools since the breach. -WSJ
Last month, Equifax launched a free service to allow consumers to "lock and unlock" their Equifax credit report in an effort to beef up security.
In a world of flashing headlines and information overload, let the fact that nearly half of America had sensitive information stolen by hackers - a breach which will have serious and lasting effects on both consumers and banks whose fraud prevention departments will be working overtime for years to come.