Equifax Form 8-K Filings: Consumer Licenses, Passports Also Exposed in Data Breach

The author of this report previously highlighted the latest rounds of drama surrounding the Equifax (NYSE: EFX) data breach on the regulatory front. Now, the publicly traded credit-monitoring company has submitted new information to regulators documenting, in greater detail, the damage done when hackers targeted the company in late 2017.

According to the company’s most recent filings to the Securities & Exchange Commission (SEC), the names and birth dates for 146.6 million people, the social security numbers for 145.5 million people, 99 million pieces of address and location information, and 209,000 payment card numbers and expiration dates were released during the hacking.

Over 99 percent of the people impacted by the hacking had their social security numbers exposed. Additionally, of this huge number of impacted individuals, 182,000 had government-issued identification documents (military IDs, driver’s licenses, and passports, etc.) stolen too.

“The attackers stole consumer records from a number of database tables with different schemas. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen,” Equifax wrote in its May 2018 Form 8-K filing with the SEC.

As a part of that filing, Equifax attached a Congressional notification for the record indicating the company’s efforts to notify and remediate the millions of customers that were impacted.

Screenshot-2018-05-09-at-3.23.37-PM

“For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as “FIRSTNAME,” another may have used “USER_FIRST_NAME,” and a third may have used “FIRST_NM,” this filing further indicates. “With assistance from Mandiant … forensic investigators were able …to determine the impacted consumers [for] Equifax’s notification obligations.”

Reportedly, the company believes they’ve fulfilled their legal obligation of notifying the impacted consumer individually by mail over a period of a few months in the latter part of 2017.

“Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators. It does not anticipate identifying further impacted consumers, as it has now completed analysis of government issued identification numbers stolen together with names,” according to the filing.

The company’s claims have been largely contested by observers. To begin, Equifax fumbled early-on communications with impacted consumers by sending them to a fraudulent website and another website that was infected with a fake Adobe Flash update virus. For the consumers who’ve been contacted by the firm and have not been subject to any major issues in the resolution process have been given free credit monitoring and protection services.

Since the security breach, Equifax has been under the highest level of scrutiny during investigations backed by Congressional bodies and the Federal Trade Commission. Key leaders within the company have been ousted for failure to respond to the crisis in a way that federal regulators required. Additionally, former Equifax executives have been indicted on insider trading charges for allegedly selling off their owned equity in the company after they were informed of the major breach but the public was not.