Consumer credit reporting agency released updated information on cybersecurity incident
As a result of ongoing analysis of data stolen in last year’s cybersecurity incident, Equifax Inc. (NYSE: EFX) announced that the company has confirmed the identities of U.S. consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.
Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.
The methodology used in the company’s forensic examination of last year’s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack. This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim Chief Executive Officer. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them. Information about registering for these services will be included in the notification.
“We continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack,” Barros added. “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network.”
As the company committed to do, Equifax launched Lock & Alert™ to all U.S. consumers on January 31. This new service, which is free for life, enables consumers to quickly lock and unlock their Equifax credit report using a computer or app downloaded on their mobile device.
Importantly, the company’s forensics experts have found no evidence that Equifax’s core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyberattack, and the company believes it will have met all applicable requirements to notify consumers.
Since announcing this incident, Equifax has taken steps to communicate with and assist consumers and customers. Among other things, the company has established a web portal advising U.S. consumers to review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from further attack. Additionally, the company offered free identity theft protection and credit file monitoring services to all U.S. consumers regardless of whether or not they were impacted.