Equifax has publicly disclosed additional details on its 2017 cybersecurity incident which it submitted to a number of Congressional committees in response to their requests for information.
The company said the disclosure is part of its commitment to transparency, adding that the additional details do not identify additional stolen data or newly impacted consumers, and does not require additional consumer notifications.
Equifax confirmed the approximate number of impacted US consumers in the cybersecurity incident: 146.6 million for names and dates of birth, 145.5 million for Social Security numbers, 99 million for address information, 27.3 million for gender, 20.3 million for phone numbers, 17.6 million for driver’s license numbers, 1.8 million for email addresses, 209,000 for payment card numbers and expiration dates, 97,500 for TaxID, and 27,000 for driver’s license states.
In addition to those data, the attackers also accessed images uploaded to Equifax’s online dispute portal by approximately 182,000 US consumers. As a national credit reporting agency, Equifax said it has a statutory obligation to facilitate disputes for consumers.
Equifax’s recent analysis determined the approximate number of valid US government-issued identifications that had been uploaded to the dispute portal: 38,000 driver’s licenses, 12,000 social security or taxpayer ID cards, 3,200 passports or passport cards, and 3,000 other government-issued identification documents such as military IDs, state-issued IDs, and resident alien cards. The company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal.
Equifax also reiterated in its statement that its forensics experts found no evidence that the company’s US and international core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyberattack.