As a follow-up to our recent article on the 5 month aftermath of the Equifax data breach of 2017, this weekend revealed that more personal identity data than previously disclosed was exposed in the unprecedented hack.
In a series of documents given to the Senate Banking Committee as part of their inquiry into the breach, the credit monitoring and rating agency revealed that the hack potentially exposed tax identification numbers, email addresses, and phone numbers; this is in addition to the previously admitted stolen identity data including the names, Social Security numbers, birth dates, addresses, driver’s licenses and credit card numbers of 145.5 million American citizens.
This is the first time the company has admitted this aspect of the data breach. They did not mention it during the initial public disclosures to either Congress or the American public. The Wall Street Journal broke the news on February 9.
Equifax’s new disclosure has angered many members of the Senate Banking Committee, including Senator Elizabeth Warren (D-MA). “A new report today in the Wall Street Journal confirms that the extent of the breach is beyond what Equifax disclosed, and raises additional questions about the breach, about Equifax’s response, and about the completeness and veracity of information provided to Congress and the American public,” she said in an open letter to to Equifax’s chief executive Paulino do Rego Barros on February 9.
“As your company continues to issue incomplete, confusing, and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?”
Senator Warren had already released a report accusing Equifax of blatantly disregarding known holes in their cybersecurity and database protection until after the breach, and then delaying the disclosure of the hack by about 4 months. She also pointed out serious flaws in their response after their disclosure: customers left on hold for hours, unable to get a straight answer as to whether and how much identity information had been accessed, and forced to deal with inconsistent and potentially leaky websites.
In a statement, Equifax spokeswoman Meredith Griffanti said that “in no way did we intend to mislead consumers.” In an email to ZDNet, she called the headline in the Wall Street Journal “extremely misleading,” but admitted to the new data point exposure. According to Equifax, the number of potential consumers hacked has not changed.
While it is unclear what this might mean for the agency from a legal standpoint—there has been a controversial halt in some of the investigations into the breach—the new revelations may serve to further degrade the trust between consumers and Equifax, further tarnishing their image and cutting into their bottom line. While only time will tell, enterprises should remember that consumers tend to avoid companies that abuse or neglect their identity data—and should be prepared beforehand.