Equifax says that its digital forensic investigators have found that while its tally of 145.5 million U.S. breach victims hasn't changed, more of them had their email addresses, tax identification numbers and driver's license information exfiltrated.
A document submitted to the U.S. Senate Banking Committee last week by Atlanta-based Equifax describes the additional types of information that went missing, the Wall Street Journal first reported.
"On Sept. 7, Equifax announced that the information accessed in the cybersecurity incident primarily included names, Social Security numbers, birthdates, addresses, drivers' license numbers and in in some instances, credit card numbers and certain dispute documents with personal identifying information," Meredith Griffanti, an Equifax spokeswoman, tells Information Security Media Group.
"Acting with full transparency, we also provided the Senate Banking Committee with an additional list of potential but not primary data points that may have been accessed that we categorized and analyzed in the forensic investigation," Griffanti adds. "We sent direct mail notices to those consumers whose credit card numbers or dispute documents with PII were impacted. The approximate number of 145.5 million impacted U.S. consumers has not changed."
Griffanti says the full details of what was stolen for every consumer are provided to any victims who use its breach notification site.
Equifax's initial security alert, issued on Sept. 7, 2017, warned that it had suffered a data breach that resulted in personally identifiable information on 143 million U.S. consumers being exposed, as well as information on U.K. and Canadian residents.
Equifax later revised those figures, saying personal data for 145.5 million U.S. individuals was exposed, including payment card numbers for 209,000 U.S. consumers as well as documents related to credit disputes for 182,000 U.S. consumers. The credit bureau has also said that 15.2 million records pertaining to U.K. residents were exposed, putting 860,000 British consumers at risk, and said that 8,000 Canadian residents' personal details were also exposed (see Equifax Breach Victims: UK Count Goes Up).
The breach, which began on March 10, 2017, led to the ousting of the company's CIO, CSO as well as CEO Richard Smith, who blamed "human error" for the company's failure to patch the Apache Struts web application that hackers exploited (see Equifax Ex-CEO Blames One Employee For Patch Failures).
The U.S. Federal Trade Commission and the Department of Justice, state of New York, and regulators in Canada and the United Kingdom are investigating the Equifax breach. The breach has also sparked numerous class action lawsuits.
To better defend against breaches, Paulino Barros, Equifax's interim CEO, says the company has quadrupled its cybersecurity spending.
But privacy experts warn that the damage caused by the massive exposure of personally identifiable information may never be undone. The Equifax breach was one of the worst in history and has left more than half of all U.S. adults at risk of identity theft for the rest of their lives (see US Data Breaches Hit All-Time High).
Countdown to GDPR
Equifax's disclosure last week that some potentially compromised data was, indeed, compromised sparked more criticism from information security experts.
"That's the sort of honesty we have come to expect from Equifax," says Ian Thornton-Trump, the cyber vulnerability and threat hunting lead at London-based betting and gambling company Ladbrokes Coral Group. "Why could this not have happened on 26 May 2018, so the GDPR - aka Death Star - would be fully operational to deal a devastating fine for Equifax's behavior?"
Thornton-Trump says that when the EU in May begins enforcing the General Data Protection Regulation, which applies to any business that handle Europeans' personal data, many businesses are going to face some tough questions. "The two questions Equifax raises especially under GDPR are: One, who is responsible for PII data security after it is collected and sent to multiple processors? And two, is specific consent required for each and every step of that process when it involves third parties?" he tells Information Security Media Group.
Self-Administered Breach Notifications
Equifax has also been criticized by many consumer and privacy rights groups for requiring many potential U.S. victims - who may have no idea that their personal information was being collected and sold by Equifax - to have to go to a data breach notification website set up by Equifax to see if they were breach victims.
Equifax's Griffanti tells ISMG that the company complied with all states' data breach notification laws (see Senators Again Propose National Breach Notification Law). She adds that consumers will have received mailed notifications if certain information, such as payment card numbers, was exposed.
Equifax says anyone with a tax ID number can input that - instead of a Social Security number - into Equifax's breach notification website to see if they were affected.
The Internal Revenue Service says that a tax identification number is "only available for certain nonresident and resident aliens, their spouses and dependents who cannot get a Social Security number."
Equifax told the Wall Street Journal that the "additional driver's license information accessed other than the driver's license number was extremely minimal" and that "anyone with a potentially affected driver's license number" can also look up their status on Equifax's breach notification site.
Warren's Five-Month Investigation
Equifax's latest report to the Senate committee came just days after Sen. Elizabeth Warren, D-Mass., issued a report into her office's own, ongoing Equifax breach investigation.
"In October, when I asked the CEO about the precise extent of the breach, he couldn't give me a straight answer. So for five months, I investigated it myself," Warren tweeted on Saturday.
On Wednesday, Warren released the results of that investigation, criticizing Equifax on numerous fronts, including telling consumers their data had been "accessed" when Warren says Equifax's former CEO, Richard Smith, testified to Congress that it had, in fact, been exfiltrated, meaning that it was stolen and that third parties will have access to all of that personally identifiable information in perpetuity. Warren also says some U.S. passport numbers were compromised in the breach. Equifax, however, contends that they were not.
On Friday, in light of Equifax's most recent breach update, Warren - who's also a member of the Senate banking committee - wrote to Equifax demanding a complete accounting of its data breach and response.
"While Equifax confirmed the release of this additional data this morning, the company continues to dissemble and downplay the significance, refusing to provide any information on the number of taxpayer identification numbers or email addresses that were hacked, and claiming that email addresses 'aren't considered sensitive personal information,'" she wrote.
Bill Would Fine Breaches of PII
Last month, Warren and Sen. Mark Warner, D-Va., introduced draft legislation dubbed the Data Breach Prevention and Compensation Act that is designed "to hold large credit reporting agencies (CRAs) - including Equifax - accountable for data breaches involving consumer data." The bill would give the Federal Trade Commission more authority to monitor CRAs' information security practices and incentivize them based on results. To do that, it would fine CRAs $100 for any consumer whose PII was compromised, plus $50 for each additional violation.
"For years, Equifax and other big credit reporting agencies have been able to get away with profiting off using people's private info and doing so without their explicit permission," Warren tells Vox, a news website. "We need real consequences for when they screw up."
Warren tells Vox that Equifax shouldn't be allowed "to wiggle off the hook for having put more than half of all adult American at risk for fraud for years to come because of the data that were stolen."
Under her draft legislation, Warren last week said Equifax would have faced a $1.5 billion penalty, Warren writes in a blog post.
Based on the expanded scope of the breach revealed in recent days, however, the potential penalty would have been even higher.
Senators Demand Equifax Probe Update
On Wednesday, Reuters reported that Mick Mulvaney, who became head of the Consumer Financial Protection Bureau last November, has shelved the CFPB probe into Equifax (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Last month, Mulvaney requested that the CFPB be given $0 in funding, saying that the agency would draw down its reserves. But Rep. Carolyn Maloney, D-N.Y., who's a senior member of the House Financial Services Committee, accused Mulvaney of attempting to "defund and defang" the CFPB.
Citing the Reuters report, a group of more than 30 Democratic senators, led by Sen. Brian Schatz of Hawaii, on Thursday wrote to the CFPB, demanding an update on its Equifax investigation by Feb. 19 and asking directly if the probe has been frozen.
"The CFPB has a statutory mandate to participate in this process by conducting an investigation," the senators wrote. "If that investigation exposes wrongdoing or consumer harm, the CFPB has the authority, and indeed a duty, to bring appropriate enforcement actions."
The CFPB didn't immediately respond to a request for comment on the letter.
But last week, Mulvaney's senior adviser, John Czwartacki, issued a vague statement in response to the Reuters report.
"Acting Director Mulvaney takes data security issues very seriously," Czwartacki said. "Under his direction, the CFPB is working with our partners across government on Equifax's data breach and response. We are committed to enforcing the law. As policy, we do not confirm or deny enforcement or supervisory matters."