The Equifax hack just keeps getting worse. The first revelations were made on September 7, that Equifax had discovered on July 29 that it had been hacked sometime between “mid-May through July,” and that the crown jewels of consumer data, including Social Security numbers, on 143 million US consumers was stolen. The tally has since been raised to 145.5 million consumers. In terms of quantity and sensitivity, it was the worst consumer data hack in US history.
“In some instances” driver’s license data were also stolen, the company disclosed at the time. Driver’s license data includes license number, name, address, data of birth, and basic physical features of the person. This is important and valuable data for identity thieves and other fraudsters and fills in some gaps in the other data that had been stolen.
But without telling consumers, Equifax went around and told its customers – mainly banks and credit card companies – that the tally of driver’s license data that had also been stolen, previously minimized with the phrase “in some instances,” amounted to driver’s licences of 10.9 million consumers.
This wasn’t an announcement disclosed by the company in a vapid and robotically apologetic press release, but was leaked by “people familiar with the matter,” and reported today by the Wall Street Journal.
The fact that consumers whose DL data had been stolen and who’d become more vulnerable to some fraud didn’t need to be informed about it fortifies the simple fact that, for Equifax, consumers are just the lowly product – and dealing with that product is just an expense.
How did Equifax even get this driver’s license data in the first place?
In many cases, Equifax asked consumers for their driver’s license number when they contacted the company, claiming it was needed to verify their identity. In other cases, Equifax asked for the DL number at its website set up to resolve credit-report discrepancies. The Wall Street Journal:
The dispute-resolution page appears to have been at least one avenue hackers used to access the company’s systems. This was done by hackers exploiting a security vulnerability in software that ran on the dispute portal’s web application.
Former CEO Richard Smith said during the congressional hearings last week that Equifax had seen a public notification of this vulnerability, for which a patch already existed. He then blamed one sole and solitary employee and a system scan for the whole fiasco, claiming that this employee failed to tell others to patch this vulnerability, and that a system scan failed to detect the missing patch.
So this information of the stolen driver’s license data of 15.9 million US consumers was leaked by “people familiar with the matter.” At the same time in the UK today, the company did disclose an additional whopper.
During the September 7 disclosure, the company said that “limited personal information for certain UK and Canadian residents” has also been compromised. A week later it said that about 400,000 consumers in the UK may have had their personal data stolen in the hack. Today, in a UK disclosure, Equifax added some detail what “certain” and “400,000” really meant…
Turns out data of 15.2 million UK consumers has been stolen. That’s 30% of the UK population aged 20 and over. The file that was compromised contained records dating from 2011 through 2016. The company claims that records of 14.5 million of these consumers contained only the name and date of birth and didn’t contain data that would put consumers at risk. But sensitive information was stolen that put the remaining 693,665 consumers at risk.
Where there’s a crisis, there’s opportunity – for fraudsters. Here are some of the Equifax scams now underway – and how to protect yourself. Read… Beware – the Equifax Scams Are Coming
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.