The Wall Street Journal | By AnnaMaria Andriotis | February 9, 2018
Hackers in the Equifax Inc. breach accessed more of consumers’ personal information than the company disclosed publicly last year.
Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and driver’s license information beyond the license numbers it originally disclosed.
The disclosure comes some five months after Equifax said it had been breached and personal information belonging to 145.5 million consumers had been compromised, including names, Social Security numbers, dates of birth and addresses. The fact that hac kers accessed even more data shows both the vast amount of information that Equifax holds and the risks at stake for consumers given the level of personal information that has been compromised.
It is unclear how many of the 145.5 million people are affected by the additional data. Tax ID numbers are often assigned to people who don’t have Social Security numbers.
Hackers also accessed email addresses for some consumers, according to the document and an Equifax spokeswoman, who said an insignificant number of email addresses were affected. She added that email addresses aren’t considered sensitive personal information because they are commonly searchable in public domains.
“We have complied with applicable notification requirements in the disclosure process,” the spokeswoman said, adding that the company has sent mail notices to consumers whose credit-card numbers and certain other documents were affected.
As for tax ID numbers, the Equifax spokeswoman said they “were generally housed in the same field” as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack.
Equifax also said, in response to questions from the Journal, that some additional driver’s license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that driver’s license numbers were accessed; the document submitted to the Senate committee also includes driver’s license issue dates and states.
The Equifax spokeswoman said the “additional driver’s license information accessed other than the driver’s license number was extremely minimal” and “anyone with a potentially affected driver’s license number” can also look up his or her status on an Equifax website.
On Wednesday, Massachusetts Democratic Sen. Elizabeth Warren, who is on the banking committee, released a report on the Equifax hack and the company’s response. She followed up with a letter Friday asking the company for more details about the extent of the hack.
After disclosing the hack in September, Equifax said that several executives, including then-Chief Executive Richard Smith, would retire. Mr. Smith was succeeded by an interim chief executive, Paulino do Rego Barros Jr.
In the weeks following, Mr. Smith and Mr. Barros appeared before congressional committees to discuss the breach; Mr. Barros stated that the company quadrupled spending on security and updated its security tools since the breach.
In January, Equifax launched a free service allowing consumers to lock and unlock their Equifax credit report, a way to help limit access to it. The service is aimed at lessening the chances of thieves opening credit-card accounts or other loans in consumers’ names.