Equifax Reveals Full Extent of Data Breach Damage

Congress has pushed Equifax to detail every type of data hackers stole from the company and the numbers of consumers affected. It's not pretty.

Equifax Reveals Full Extent of Data Breach Damage Photo by Casimiro PT / Shutterstock.com

Equifax has revealed new information about the extent of the cybersecurity breach it announced in September.

In response to a congressional inquiry, the credit-reporting agency provided federal lawmakers with estimates for the number of U.S. consumers affected by the data breach.

The data

According to , the types of data that hackers stole — and the approximate number of U.S. consumers affected — are:

  • Name: Approximately 146.6 million U.S. consumers
  • Date of birth: 146.6 million
  • Social Security number: 145.5 million
  • Address information: 99 million
  • Gender: 27.3 million
  • Phone number: 20.3 million
  • Driver’s license number: 17.6 million (including the 2.4 million people whose partial driver’s license information and name were stolen, as Equifax announced in March)
  • Email address: 1.8 million
  • Payment card number and expiration date: 209,000
  • Tax ID: 97,500
  • Driver’s license state: 27,000

Additionally, hackers accessed images that about 182,000 U.S. consumers had uploaded to Equifax’s online dispute portal. Some images included government-issued identification.

As part of the congressional inquiry, Equifax reviewed those images to determine what types of valid government IDs were in the images and the approximate number of images that included each type of ID:

  • Driver’s license: Approximately 38,000 images included this type of ID
  • Social Security or taxpayer ID card: 12,000
  • Passport or passport card: 3,200
  • Other types of ID documents (such as military IDs, state-issued IDs and resident alien cards): 3,000

The details

Equifax’s statement to Congress is publicly accessible via the U.S. Securities and Exchange Commission.

The SEC requires publicly traded companies to report “major events that shareholders should know about” on what’s known as a . Equifax’s is also publicly available, albeit written in the same sterile language as the statement.

Equifax’s congressional statement and event report note that hackers stole data from multiple Equifax database tables. Equifax worked with a cybersecurity firm, Mandiant, to determine the extent of the breach for Congress.

The statement and report also note — repeatedly — that the information above does not represent additional stolen data and does not impact additional consumers.

Additionally, the documents state that Equifax has already notified affected consumers as the law requires.

That does not necessarily mean the breach did not affect you if Equifax did not you, though. The company notes legal exceptions. For example:

“With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access.”

The aftermath

This latest chapter in the Equifax cybersecurity breach saga reveals a new — and fear-inspiring — level of detail about the extent of the hacking. But it changes little for consumers.

In the wake of learning this news, do the following:

  1. If you don’t already know whether the breach impacted you, you can find out by visiting Equifax’s dedicated “” website and clicking on the red “Am I Impacted?” button — assuming you’re willing to trust the company with your last name and the last four digits of your Social Security number.
  2. If the breach impacted you, seriously consider freezing your credit with all three nationwide credit reporting companies: Equifax, Experian and TransUnion. Remember, Equifax is offering free credit freezes through June 30.

As we’ve detailed repeatedly, a credit freeze or security freeze is generally the single best way to protect your identity and your finances if you know your sensitive personal information has been compromised. Just don’t let your guard down, as a freeze won’t fully protect you after a data breach.

What’s your take on this news? Sound off below or over on .

Karla Bowsher
Karla Bowsher
I’m a freelance journalist and former newspaper reporter who has covered both personal and public finance. I've worked for a top 50 major metro daily and a community newspaper as well as ... More

Comments

1,138 Active Deals

More Deals