Equifax – The Breach That Keeps Getting Bigger
Last year in September 2017 Equifax revealed that they had numerous data files stolen by hackers. The Credit Ratings agency initially at the time reported that they had over 140 million consumers private information stolen. The private data that was stolen included Social Security numbers, dates of birth, addresses and even some driver’s licenses.
A month after the discovered breach, Equifax revised that saying that an additional 2.5 million people had their data stolen. In addition to this, they later went on to revise the total once more, on March 1, 2018 they announced that a further 2.4 million more U.S. consumers had their data stolen.
In a statement released on that day Equifax commented:
“Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver's license information were stolen, but who were not in the previously identified affected population discussed in the company's prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers' home addresses, or their respective driver's license states, dates of issuance, or expiration dates.”
The statement went on further:
"The methodology used in the company's forensic examination of last year's cybersecurity incident leveraged Social Security numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack," the company said in its announcement. "This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Today's newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver's license information."
The additional 2.4 million consumers had their names and partial driver's license information stolen in the Equifax data breach. The information stolen does not include home addresses, the state of issue for the license, the issued date or the expiration dates. These consumers also did not have their Social Security numbers stolen; Equifax claimed that is why this wasn't discovered during the initial investigations.
Equifax said it "will notify these newly identified U.S. consumers directly" and offer them free credit monitoring and identity theft protection. However, this appears just to be an attempt to avoid seeming incompetent.
In regard to the investigations being conducted, Equifax believed that they had in fact “uncovered everything” following the initial breach last September. Yet still, they have had to make more than one amendment with regards to the extent of the hack and data being exposed.
Last month, it was confirmed that the data breach included more types of data such as tax identification numbers, email addresses and drivers license. This addition, which was not actually disclosed to the public directly – it was instead, reported by the Wall Street Journal who had a Senate Banking Committee document leaked to them.
Equifax stated that the discovery of the 2.4 million newly affected consumers came to light as part of "ongoing analysis" into the breach.
How big was the leak?
The totality of the leak is astonishing. 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) were exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details.
The further details emerged after cybersecurity firm Mandiant's investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.” The extra data elements, the company stated, did not involve any individuals not already known to be part of the hack, therefore no additional consumer notifications are required.
The company's stock price is now higher than before the cyber-attack took place, but the worst may be yet to come with regulators and consumer right groups across the world preparing legal cases. In addition to this, Equifax has also spent millions on belatedly upgrading its technology and security infrastructure, not to mention the cost of fixing their tarnished reputation.
What can be learned?
The Equifax breach remains one of the largest data breaches in history and given the nature of the company and the type of data leaked is one of the most serious breaches in history. At a time when Ransomware was often making headlines, this breach elevated the levels of fear that large organisations had about losing data, making them realise that they weren’t immune. Equifax among other large organisations will have updated cyber-security policies, cutting the risk associated with a breach and ensured that processes of recovery were securely put into place.
The General Data Protection Regulation (GDPR) is another reason organisations have been frantically updating data protection policies in the last 18-months and it will soon come into full effect. The regulation sets out, across Europe, new legislation for organisations to follow to ensure that breaches on the scale of the Equifax breach cannot occur again.
To learn more about the GDPR and get compliant with Redstor, download the whitepaper and get in touch, here.