The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Equifax: 2.4M Additional Americans Affected by 2017 Breach



Equifax this week revised the total number of Americans affected by last year’s breach: 147.9 million Americans, as well as some Canadian and British nationals.

Equifax, the credit-reporting agency at the center of last year’s massive data breach, confirmed this week that more Americans than originally reported were impacted by the incident.

According to a press release the company issued early Thursday an additional 2.4 million U.S. consumers may have had their names and partial driver's license information stolen.

It's the second time the company has revised its estimate for the number of people affected by the breach. In October,  a month after the agency first announced the breach, it adjusted its figures, saying 145.5M individuals, up from 143M, may have had their personal information compromised.

If there's a silver lining here it's the fact that the stolen driver's license information was partial. According to Equifax for the most part customers' home addresses, states, dates of issuance, or expiration were not included in the data.

The agency was quick on Thursday to downplay the announcement, saying data belonging to the additional 2.4M Americans wasn't just discovered, it was identified as the result of an ongoing analysis that looked at data the attackers didn’t steal.

"This is not about newly discovered stolen data," Paulino do Rego Barros, Jr., Equifax’s Interim Chief Executive Officer said. "It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals."

The Equifax breach has spurred some federal action but it remains to be seen how quickly the legislation will wend its way through Capitol Hill.

Rep. Ted Lieu (D-Los Angeles County) introduced two bills on Thursday, shortly after Equifax’s announcement, designed to safeguard consumer data. The aim of one, the Protecting Consumer Information Act of 2018, is to broaden the Federal Trade Commission’s ability to enforce authority over credit reporting agencies. The second, the Ending Forced Arbitration for Victims of Data Breaches Act, aims to prohibit entities from enacting arbitration clauses for suits related to a data breach.

The bills follow up a bioll introduced by Democratic Senators Mark R. Warner (D-VA) and Elizabeth Warren (D-MA) in January. That bill, the Data Breach Prevention and Compensation Act, also hopes to keep credit reporting agencies accountable for data breaches that involve consumer data by imposing mandatory penalties and fines at $100 for each consumer who has a piece of personally identifiable information compromised and another $50 for each additional piece of data.

“The financial incentives here are all out of whack," Warren said at the time. "Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach.”

It was only two weeks ago that lawmakers on the House Committee on Oversight and Government Reform called on the company to extend its offer of free credit monitoring and identify theft protection services. Equifax offered one year of the services for free but Committee Democrats pressed the agency’s interim CEO in a letter to provide three years citing statements made by Equifax’s chief information officer that attackers usually wait a year or more until trying to sell data on the dark web.

Chris Brook

WHITEPAPERS

Data Protection Vendor Evaluation Toolkit

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.