Equifax filing reveals hack was somehow even worse than previous estimates

The 2017 hack of Equifax, already among the largest ever recorded, just got bigger. Well, they’re admitting that it was bigger than they had previously, which amounts to the same thing. Documents filed with the SEC reveal that more people, more IDs, and more info in general was stolen when the company utterly failed to protect its “users,” many of which didn’t even know they were in the database.

The company revealed various numbers around the time it disclosed the hack, though one it neglected to include was how many millions of dollars in stock were sold by executives before publicly disclosing it. But let’s not linger on their past crimes. I’m sure they’re very sorry!

Amanda Werner, dressed as Monopoly’s Rich Uncle Pennybags, sits behind Richard Smith, CEO of Equifax, during a Senate hearing.

Today’s information was filed with the Securities and Exchange Commission as part of the company’s disclosures regarding the hack. It provided first a handy table listing what was stolen as raw strings of data from Equifax’s inadequately protected databases:

  • Full name: 146.6M
  • Date of Birth: 146.6M
  • Social Security number: 145.5M
  • Full address: 99M
  • Gender: 27.3M
  • Phone number: 20.3M
  • Driver’s license number (incl. 2.4M partials): 17.6M
  • Email address: 1.8M
  • Credit card numbers (with expiration dates): 209,000
  • Individual Tax Identification Number (ITIN/Tax ID): 97,500
  • Driver’s license state: 27,000

Previous estimates of driver’s license numbers leaked were around 10.9 million, and total affected put at 143 million. Sure, the difference between 143 million and 146.6 million is relatively small, but it’s still 3.6 million people.

Secondly the filing includes a table listing images stolen by the attackers. These were “uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers,” the document says.

  • Driver’s license: 38,000
  • Social Security of Taxpayer ID Card: 12,000
  • Passport or Passport Card: 3,200
  • Other: 3,000

It’s unclear why these don’t add up to 182,000, but the images could also have been non-valuable things like forms or pictures of assets.

Imagine the kind of havoc you could wreak with even a few isolated data points from this set. Phishing teams and other scammers must be having the time of their lives: with so much official data to use, it’s that much easier to convince someone that a service or email is legitimate. Images of licenses and passports could lead to more sophisticated fraud at borders or in other government situations as well.

<a href=”https://techcrunch.com/tag/equifax-hack/” target=”_blank” rel=”noopener”><img src=”https://techcrunch.com/wp-content/uploads/2017/09/eq-uifax-hack-banner.png” /></a>