On May 7, executives of Equifax submitted a “statement for the record” to the Securities and Exchange Commission detailing the extent of the consumer data breach the company first reported on September 7, 2017. The data in the statement, which has also been shared with congressional committees investigating the breach, reveals to a fuller extent how much personal data was exposed in the breach.
Millions of driver’s license numbers, phone numbers, and email addresses were also exposed in connection with names, dates of birth, and Social Security numbers—offering a gold mine of data for identity thieves and fraudsters.
Equifax had already reported that the names, Social Security numbers, and dates of birth of 143 million US consumers had been exposed, along with driver’s license numbers “in some instances,” in addition to the credit card numbers of 209,000 individuals. The company’s management had also reported “certain dispute documents” submitted by about 182,000 consumers contesting credit reports had been exposed as well, in addition to some information about British and Canadian consumers.
Equifax felt it did not have a legal obligation to disclose those details
But the exact details of the nature of these documents and information had not been revealed, in part because Equifax felt it did not have a legal obligation to disclose those details. “With respect to the data elements of gender, phone number, and email addresses, US state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access,” Equifax’s management asserted in the SEC letter.
Of the 146.6 million individuals affected by the breach:
- 145.5 million had Social Security numbers exposed.
- 99 million had address information exposed.
- 27.3 million had gender information exposed.
- 20.3 million had phone numbers exposed.
- 17.6 million had driver’s license numbers exposed.
- 1.8 million had email addresses exposed.
- 209,000 had credit card numbers exposed.
- 97,500 had Tax Identification numbers exposed.
- 27,000 had the state of their driver’s license exposed.
In addition, Equifax provided more detail about the “dispute documents” that were stolen in the breach. These were personal identity documents uploaded as images to Equifax:
- 38,000 driver’s licenses
- 12,000 Social Security and Taxpayer ID cards
- 3,200 passports and passport cards
- 3,000 other documents, including military and state IDs and resident alien cards.
The stolen data did not come from a single, centralized database but from a collection of disparate databases associated with Equifax’s Web applications and payment systems.
Based Blockchain Network