Equifax Data Breach: Firm Confirms More Customer Data Stolen

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Oh dear. Millions more customers have had their data compromised, Equifax confirms

Equifax has warned that its forensic examination of its hugely damaging breach last year has revealed that more customers have had their personal data compromised than first thought.

The credit checking specialist was able to identify approximately 2.4 million US consumers whose names and partial driver’s license information were also stolen.

This is in addition to the 143 million US consumers, as well as nearly 700,000 UK consumers, that had their data stolen when the firm revealed its data breach to the world in September last year.

Driving Licence

According to Equifax, these 2.4 million US consumers have had their partial driver’s license information taken.

“Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider,” it said in a statement.

“Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident,” it said. “This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.”

The firm was also keen to stress that this was not newly stolen data.

“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim CEO. “It’s about sifting through the previously identified stolen data, analysing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

Equifax said it would notify these newly identified US consumers directly, and offer them identity theft protection and credit file monitoring services at no cost.

“We continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack,” Barros added. “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network.”

Breach Fallout

The data breach at Equifax took place between mid-May through July 2017.

Its fallout has triggered multiple investigations across the world, and the credit monitoring firm was hauled up before the US Congress, where former CEO Richard Smith faced a serious grilling from US Senators.

And to make matters worse, it seems that a security researcher had already warned the firm about its vulnerability to a cyberattack six months before it suffered the breach.

The unnamed researcher couldn’t believe it when one particular Equifax website he found he was able to access access the personal data of millions upon millions of Americans (names, dates of birth, social security numbers etc).

The website in question apparently looked like a portal made only for employees, but was completely exposed to anyone on the internet.

It displayed several search fields, and anyone with no authentication could force the site to display the personal data of Equifax’s customers, the researcher reportedly said.

The researcher then notified the company of the flaw, but Equifax failed to act on the warning.

Do you know all about security? Try our quiz!