Equifax Update Clarifies Breach Details to SEC

Under-fire credit reporting agency Equifax has released updated figures clarifying the types and volumes of data stolen in its massive 2017 breach.

In a letter sent to regulator the US Securities and Exchange Commission (SEC) on Monday, the firm explained that although the total number of affected customers remains the same, it has been able to confirm the total volume of each breached data type.

“The attackers stole consumer records from a number of database tables with different schemas. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen,” it explained in the letter.

“As a result of its analysis of the standardized data elements, including using data not stolen in the cybersecurity incident, the Company was able to confirm the approximate number of those impacted US consumers for each of the following data elements stolen in the cybersecurity incident.”

The stats are as follows: name (146.6 million); date of birth (146.6m); Social Security number (145.5m); address info (99m), gender (27.3m); phone number (20.3m); driver’s license number (17.6m); email address (1.8m); payment card number and expiration date (209,000); TaxID (97,500); and driver’s license state (27,000).

In addition, Equifax revealed exactly how many government-issued identification documents had been compromised after being uploaded to its dispute portal: 38,000 driver’s licenses; 12,000 Social Security or taxpayer ID cards; 3,200 passports or passport cards; and 3,000 other government-issued ID docs including military IDs, state-issued IDs and resident alien cards.

The revelations drive home the huge range of highly sensitive data that was stolen from the company: stats which will lend weight to proposed new legislation designed to make big credit agencies more accountable.

It’s claimed Equifax would have paid $1.5bn under the new Data Breach Prevention and Compensation Act.

In related news, security vendor Sonatype has claimed to have identified almost 11,000 organizations still running old, insecure versions of Apache Struts: the open source framework that was exploited by the Equifax hackers after the firm failed to patch promptly.

These apparently include seven Fortune Global 100 tech companies.

What’s Hot on Infosecurity Magazine?