Equifax said that an additional 2.4 million Americans have had their personal data stolen as part of the company’s massive 2017 data breach, including their names and some of their driver’s license information.
The additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.
The consumer credit reporting agency on Thursday said that as part of an “ongoing analysis” it found that these newly identified victims’ names and partial driver’s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.
Attackers were also unable to reach additional license details for this latest slew of impacted victims – including the state where their licenses were issued and the expiration dates.
“This is not about newly discovered stolen data,” Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
Equifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver’s license information.
“The methodology used in the company’s forensic examination of last year’s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,” said the company in a statement. “This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.”
Equifax said it will notify the newly identified consumers directly by U.S. Postal mail, “and will offer identity theft protection and credit file monitoring services at no cost to them,” said the company.
The company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.
Ongoing Breach Disclosures
Equifax has been under public scrutiny since September, that’s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed “U.S. website application vulnerability to gain access to certain files” from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.
Later, during Equifax’s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched Apache Struts vulnerability, CVE-2017-5638. It was established that while Equifax said it had requested the “applicable personnel responsible” to update the vulnerability it never was fixed.
“It appears that the breach occurred because of both human error and technology failures,” Richard Smith, Equifax CEO at the time, wrote in a testimony that was released at the hearing in October.
Making the breach worse was Equifax’s further botched response to the breach.
After the breach was revealed in September, the company’s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring adware in a third-party partner’s Flash Player download.
The extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an additional 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.
Meanwhile, in February, documents submitted by Equifax to the US Senate Banking Committee revealed that attackers also accessed taxpayers identification numbers, email addresses, and credit card expiration dates for certain customers.
This latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection – such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.
My office is continuing our investigation of #Equifax so we can get to the bottom of how this disastrous data breach happened.
We also need to change the law.
— Eric Schneiderman (@AGSchneiderman) March 1, 2018
This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding #Equifax accountable to the fullest extent of the law. https://t.co/fRPrUWcIyg
— Xavier Becerra (@AGBecerra) March 1, 2018
Equifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.
Customers can see if their personal information has been breached by clicking on an “Am I Impacted” tool on Equifax’s website. The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.
The company handles data on more than 820 million customers and 91 million businesses worldwide.