Equifax has revealed new information about the extent of the cybersecurity breach it announced in September.
In response to a congressional inquiry, the credit-reporting agency provided federal lawmakers with estimates for the number of U.S. consumers affected by the data breach.
According to Equifax’s statement to Congress, the types of data that hackers stole — and the approximate number of U.S. consumers affected — are:
- Name: Approximately 146.6 million U.S. consumers
- Date of birth: 146.6 million
- Social Security number: 145.5 million
- Address information: 99 million
- Gender: 27.3 million
- Phone number: 20.3 million
- Driver’s license number: 17.6 million (including the 2.4 million people whose partial driver’s license information and name were stolen, as Equifax announced in March)
- Email address: 1.8 million
- Payment card number and expiration date: 209,000
- Tax ID: 97,500
- Driver’s license state: 27,000
Additionally, hackers accessed images that about 182,000 U.S. consumers had uploaded to Equifax’s online dispute portal. Some images included government-issued identification.
As part of the congressional inquiry, Equifax reviewed those images to determine what types of valid government IDs were in the images and the approximate number of images that included each type of ID:
- Driver’s license: Approximately 38,000 images included this type of ID
- Social Security or taxpayer ID card: 12,000
- Passport or passport card: 3,200
- Other types of ID documents (such as military IDs, state-issued IDs and resident alien cards): 3,000
Equifax’s statement to Congress is publicly accessible via the U.S. Securities and Exchange Commission.
The SEC requires publicly traded companies to report “major events that shareholders should know about” on what’s known as a Form 8-K. Equifax’s Form 8-K regarding its congressional statement is also publicly available, albeit written in the same sterile language as the statement.
Equifax’s congressional statement and event report note that hackers stole data from multiple Equifax database tables. Equifax worked with a cybersecurity firm, Mandiant, to determine the extent of the breach for Congress.
The statement and report also note — repeatedly — that the information above does not represent additional stolen data and does not impact additional consumers.
Additionally, the documents state that Equifax has already notified affected consumers as the law requires.
That does not necessarily mean the breach did not affect you if Equifax did not contact you, though. The company notes legal exceptions. For example:
“With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access.”
This latest chapter in the Equifax cybersecurity breach saga reveals a new — and fear-inspiring — level of detail about the extent of the hacking. But it changes little for consumers.
In the wake of learning this news, do the following:
- If you don’t already know whether the breach impacted you, you can find out by visiting Equifax’s dedicated “Cybersecurity Incident” website and clicking on the red “Am I Impacted?” button — assuming you’re willing to trust the company with your last name and the last four digits of your Social Security number.
- If the breach impacted you, seriously consider freezing your credit with all three nationwide credit reporting companies: Equifax, Experian and TransUnion. Remember, Equifax is offering free credit freezes through June 30.
As we’ve detailed repeatedly, a credit freeze or security freeze is generally the single best way to protect your identity and your finances if you know your sensitive personal information has been compromised. Just don’t let your guard down, as a freeze won’t fully protect you after a data breach.
What’s your take on this news? Sound off below or over on our Facebook page.