Equifax Reveals Full Extent of Data Breach Damage

Equifax Reveals Full Extent of Data Breach Damage
Photo by Casimiro PT / Shutterstock.com

Equifax has revealed new information about the extent of the cybersecurity breach it announced in September.

In response to a congressional inquiry, the credit-reporting agency provided federal lawmakers with estimates for the number of U.S. consumers affected by the data breach.

The data

According to Equifax’s statement to Congress, the types of data that hackers stole — and the approximate number of U.S. consumers affected — are:

  • Name: Approximately 146.6 million U.S. consumers
  • Date of birth: 146.6 million
  • Social Security number: 145.5 million
  • Address information: 99 million
  • Gender: 27.3 million
  • Phone number: 20.3 million
  • Driver’s license number: 17.6 million (including the 2.4 million people whose partial driver’s license information and name were stolen, as Equifax announced in March)
  • Email address: 1.8 million
  • Payment card number and expiration date: 209,000
  • Tax ID: 97,500
  • Driver’s license state: 27,000

Additionally, hackers accessed images that about 182,000 U.S. consumers had uploaded to Equifax’s online dispute portal. Some images included government-issued identification.

As part of the congressional inquiry, Equifax reviewed those images to determine what types of valid government IDs were in the images and the approximate number of images that included each type of ID:

  • Driver’s license: Approximately 38,000 images included this type of ID
  • Social Security or taxpayer ID card: 12,000
  • Passport or passport card: 3,200
  • Other types of ID documents (such as military IDs, state-issued IDs and resident alien cards): 3,000

The details

Equifax’s statement to Congress is publicly accessible via the U.S. Securities and Exchange Commission.

The SEC requires publicly traded companies to report “major events that shareholders should know about” on what’s known as a Form 8-K. Equifax’s Form 8-K regarding its congressional statement is also publicly available, albeit written in the same sterile language as the statement.

Equifax’s congressional statement and event report note that hackers stole data from multiple Equifax database tables. Equifax worked with a cybersecurity firm, Mandiant, to determine the extent of the breach for Congress.

The statement and report also note — repeatedly — that the information above does not represent additional stolen data and does not impact additional consumers.

Additionally, the documents state that Equifax has already notified affected consumers as the law requires.

That does not necessarily mean the breach did not affect you if Equifax did not contact you, though. The company notes legal exceptions. For example:

“With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access.”

The aftermath

This latest chapter in the Equifax cybersecurity breach saga reveals a new — and fear-inspiring — level of detail about the extent of the hacking. But it changes little for consumers.

In the wake of learning this news, do the following:

  1. If you don’t already know whether the breach impacted you, you can find out by visiting Equifax’s dedicated “Cybersecurity Incident” website and clicking on the red “Am I Impacted?” button — assuming you’re willing to trust the company with your last name and the last four digits of your Social Security number.
  2. If the breach impacted you, seriously consider freezing your credit with all three nationwide credit reporting companies: Equifax, Experian and TransUnion. Remember, Equifax is offering free credit freezes through June 30.

As we’ve detailed repeatedly, a credit freeze or security freeze is generally the single best way to protect your identity and your finances if you know your sensitive personal information has been compromised. Just don’t let your guard down, as a freeze won’t fully protect you after a data breach.

What’s your take on this news? Sound off below or over on our Facebook page.

Popular Articles

These Are the 20 Best Hospitals in the U.S.
These Are the 20 Best Hospitals in the U.S.

A familiar name tops this list.

Never Use a Debit Card to Buy These 9 Things
Never Use a Debit Card to Buy These 9 Things

Use your debit card for one of these expenses, and you could risk your bank account balance, your credit score or even identity fraud.

107 Easy Ways to Make Extra Cash
107 Easy Ways to Make Extra Cash

Need quick cash? Here are lots of easy ways to earn extra money from home, from getting cash back when you shop to getting paid for watching videos and playing games.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started