Equifax Reveals Full Extent of Data Breach Damage

Advertising Disclosure: When you buy something by clicking links on our site, we may earn a small commission, but it never affects the products or services we recommend.

Equifax scrutiny
Casimiro PT / Shutterstock.com

Equifax has revealed new information about the extent of the cybersecurity breach it announced in September.

In response to a congressional inquiry, the credit-reporting agency provided federal lawmakers with estimates for the number of U.S. consumers affected by the data breach.

The data

According to Equifax’s statement to Congress, the types of data that hackers stole — and the approximate number of U.S. consumers affected — are:

  • Name: Approximately 146.6 million U.S. consumers
  • Date of birth: 146.6 million
  • Social Security number: 145.5 million
  • Address information: 99 million
  • Gender: 27.3 million
  • Phone number: 20.3 million
  • Driver’s license number: 17.6 million (including the 2.4 million people whose partial driver’s license information and name were stolen, as Equifax announced in March)
  • Email address: 1.8 million
  • Payment card number and expiration date: 209,000
  • Tax ID: 97,500
  • Driver’s license state: 27,000

Additionally, hackers accessed images that about 182,000 U.S. consumers had uploaded to Equifax’s online dispute portal. Some images included government-issued identification.

As part of the congressional inquiry, Equifax reviewed those images to determine what types of valid government IDs were in the images and the approximate number of images that included each type of ID:

  • Driver’s license: Approximately 38,000 images included this type of ID
  • Social Security or taxpayer ID card: 12,000
  • Passport or passport card: 3,200
  • Other types of ID documents (such as military IDs, state-issued IDs and resident alien cards): 3,000

The details

Equifax’s statement to Congress is publicly accessible via the U.S. Securities and Exchange Commission.

The SEC requires publicly traded companies to report “major events that shareholders should know about” on what’s known as a Form 8-K. Equifax’s Form 8-K regarding its congressional statement is also publicly available, albeit written in the same sterile language as the statement.

Equifax’s congressional statement and event report note that hackers stole data from multiple Equifax database tables. Equifax worked with a cybersecurity firm, Mandiant, to determine the extent of the breach for Congress.

The statement and report also note — repeatedly — that the information above does not represent additional stolen data and does not impact additional consumers.

Additionally, the documents state that Equifax has already notified affected consumers as the law requires.

That does not necessarily mean the breach did not affect you if Equifax did not contact you, though. The company notes legal exceptions. For example:

“With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access.”

The aftermath

This latest chapter in the Equifax cybersecurity breach saga reveals a new — and fear-inspiring — level of detail about the extent of the hacking. But it changes little for consumers.

In the wake of learning this news, do the following:

  1. If you don’t already know whether the breach impacted you, you can find out by visiting Equifax’s dedicated “Cybersecurity Incident” website and clicking on the red “Am I Impacted?” button — assuming you’re willing to trust the company with your last name and the last four digits of your Social Security number.
  2. If the breach impacted you, seriously consider freezing your credit with all three nationwide credit reporting companies: Equifax, Experian and TransUnion. Remember, Equifax is offering free credit freezes through June 30.

As we’ve detailed repeatedly, a credit freeze or security freeze is generally the single best way to protect your identity and your finances if you know your sensitive personal information has been compromised. Just don’t let your guard down, as a freeze won’t fully protect you after a data breach.

What’s your take on this news? Sound off below or over on our Facebook page.

Get smarter with your money!

Want the best money-news and tips to help you make more and spend less? Then sign up for the free Money Talks Newsletter to receive daily updates of personal finance news and advice, delivered straight to your inbox. Sign up for our free newsletter today.