Equifax – The Breach That Keeps Getting Bigger

Equifax – The Breach That Keeps Getting Bigger

posted in Disaster Recovery ● 15 May 2018

Last year in September 2017 Equifax revealed that they had numerous data files stolen by hackers. The Credit Ratings agency initially at the time reported that they had over 140 million consumers private information stolen. The private data that was stolen included Social Security numbers, dates of birth, addresses and even some driver’s licenses. 


What happened? 

A month after the discovered breach, Equifax revised that saying that an additional 2.5 million people had their data stolen. In addition to this, they later went on to revise the total once more, on March 1, 2018 they announced that a further 2.4 million more U.S. consumers had their data stolen.

In a statement released on that day Equifax commented:

“Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.”

The statement went on further:

“The methodology used in the company’s forensic examination of last year’s cybersecurity incident leveraged Social Security numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,” the company said in its announcement. “This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information.”

The additional 2.4 million consumers had their names and partial driver’s license information stolen in the Equifax data breach. The information stolen does not include home addresses, the state of issue for the license, the issued date or the expiration dates. These consumers also did not have their Social Security numbers stolen; Equifax claimed that is why this wasn’t discovered during the initial investigations.

Equifax said it “will notify these newly identified U.S. consumers directly” and offer them free credit monitoring and identity theft protection. However, this appears just to be an attempt to avoid seeming incompetent.  

In regard to the investigations being conducted, Equifax believed that they had in fact “uncovered everything” following the initial breach last September. Yet still, they have had to make more than one amendment with regards to the extent of the hack and data being exposed.  

Last month, it was confirmed that the data breach included more types of data such as tax identification numbers, email addresses and drivers license. This addition, which was not actually disclosed to the public directly – it was instead, reported by the Wall Street Journal who had a Senate Banking Committee document leaked to them. 

Equifax stated that the discovery of the 2.4 million newly affected consumers came to light as part of “ongoing analysis” into the breach.


How big was the leak? 

The totality of the leak is astonishing. 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) were exposed, the company said there were also 38,000 American drivers’ licenses and 3,200 passport details.

The further details emerged after cybersecurity firm Mandiant’s investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.” The extra data elements, the company stated, did not involve any individuals not already known to be part of the hack, therefore no additional consumer notifications are required.

The company’s stock price is now higher than before the cyber-attack took place, but the worst may be yet to come with regulators and consumer right groups across the world preparing legal cases. In addition to this, Equifax has also spent millions on belatedly upgrading its technology and security infrastructure, not to mention the cost of fixing their tarnished reputation. 


What can be learned?

The Equifax breach remains one of the largest data breaches in history and given the nature of the company and the type of data leaked is one of the most serious breaches in history. At a time when Ransomware was often making headlines, this breach elevated the levels of fear that large organisations had about losing data, making them realise that they weren’t immune. Equifax among other large organisations will have updated cyber-security policies, cutting the risk associated with a breach and ensured that processes of recovery were securely put into place. 

The General Data Protection Regulation (GDPR) is another reason organisations have been frantically updating data protection policies in the last 18-months and it will soon come into full effect. The regulation sets out, across Europe, new legislation for organisations to follow to ensure that breaches on the scale of the Equifax breach cannot occur again. 

To learn more about the GDPR and get compliant with Redstor, download the whitepaper and get in touch, here

See the future of data management. Now

Watch our product demos to find out more about our solution.

The cyber criminals exploiting coronavirus panic

Reading, 20 March 2020 – Cyber hackers are preying on the public’s fear of Covid-19 to spread their own harmful viruses. According to multiple cybersecurity experts, the spike in phishing techniques, fraudulently claiming to come from an official source is the worst in years.

Continue reading

How to keep business healthy during outbreak

Reading 12 March 2020 – Up to a fifth of the UK’s workforce are likely to be off sick at the peak of the coronavirus pandemic, according to the Government’s best estimations.

Continue reading

Is your medical practice a top ransomware target?

Reading, 17 January 2020 – Since the early 2000s, medical professionals have increasingly been choosing electronic patient records over paper. Although digital records are certainly easier to access and harder to lose or destroy, they are by no means immune to disaster – and organisations have more to worry about than just fires and floods.

Continue reading