Security Equifax reveals full horror of that monstrous cyber-heist of its servers

[tao]

146 million people, 99 million addresses, 209,000 payment cards, 38,000 drivers' licenses and 3,200 passports

 

Equifax has published yet more details on the personal records and sensitive information stolen by miscreants after they hacked its databases in 2017.

 

The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach.

 

In February, in response to questions from US Senator Elizabeth Warren (D-MA), Equifax agreed that card expiry dates and tax IDs could have been among the siphoned data, but it hadn't yet worked out how many people were affected.

 

Late last week, the company gave the numbers in letters to the various US congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog.

 

As well as the – take a breath – 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

 

The further details emerged after Mandiant's investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.”

 

The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

 

The cyber-break-in occurred because Equifax ran an unpatched and therefore insecure version of Apache Struts, something it blamed on a single employee.

 

At February's RSA conference in San Francisco, Derek Weeks of Sonatype claimed “thousands” of companies continued to download vulnerable versions of Struts (video below). ®

 

< Here >

 

 

[straycat19]

Immediately after the event all our credit cards were replaced and we were issued new drivers licenses, all within 24 hours.  We don't use passports so that wasn't a problem.  There was also a mass freezing of our credit on all four credit bureaus.  Most people only know about Experian, Equifax, and Transunion, but there is a fourth called Innovis.

[Dean213]

Equifax Admits Passport Numbers Were Stolen in Breach

An Equifax spokeswoman told PCMag that the company 'manually reviewed' the images stolen from its dispute portal and found 3,200 photos of passports or passport cards.

 

Source

 

The fallout from Equifax's 2017 mega breach continues.

 

As was first reported by the Associated Press, the credit reporting agency's lawyers sent a letter to the Senate Banking Committee last week revealing that thousands of images of passports were stolen in the breach. Consumers provided those images to the company to dispute inaccuracies in their credit reports.

 

The revelation comes after Equifax in February specifically denied that passport numbers were included in the breach.

 

In a statement to PCMag, Equifax spokeswoman Meredith Griffanti said the company "manually reviewed" the photos stolen from its dispute portal and "found 3,200 images of passports or passport cards."

 

Equifax says these are not new victims. The company already counted all the people whose passport images were stolen in its previously announced breach totals. "Consumers who had information accessed by the attackers have been notified and provided with a list of the files they had uploaded, as well as the dates of those uploads," Griffanti added.

 

The company had not fully analyzed the documents stolen from its dispute portal when it said no passport numbers were affected.

 

When it first disclosed the breach in September 2017, Equifax said it affected 143 million people, but a month later upped that estimate to 145.5 million. This March, Equifax announced it had discovered 2.4 million additional victims, bringing the total number of impacted individuals to 147.9 million. The company initiallty said the hackers made away with names, Social Security numbers, birth dates, addresses, some driver's license numbers, along with some credit card numbers, and other documents containing personal information.

 

Meanwhile, Equifax may wind up getting a just slap on the wrist from the feds over the incident. Reuters earlier this year reported that the new head of the Consumer Financial Protection Bureau, Mick Mulvaney, has scaled back the agency's investigation into the breach.

[straycat19]

This tidbit was covered in a previous post.

 

 

[DKT27]

Topics merged.