Equifax admits to further data stolen in 2017 hack

Thursday, 15 February, 2018

The US credit rating agency Equifax has admitted it didn’t reveal the full extent of the consumer data hacked in what was the largest single data breach of 2017.

In September Equifax reported that it had suffered a data breach that had affected more than 145 million people, primarily Americans but also including Canadian and British citizens.

The data stolen, they said at the time referred to social security numbers, birth dates, addresses and drivers’ license numbers.

But after investigation by the US Senate Banking Committee it was revealed that more data was stolen than first reported.

Equifax came under intense pressure after publicly confirming the hack last year.

Consumers registered more complaints with the handling of the data breach than with the initial intrustion. A portal set up by company top brass to help potential victims’ find out whether their data had been leaked was poorly designed and, cybersecurity experts noted, had many features in common with phishing websites.

Nervous users had to enter part of their social security numbers on www.equifaxsecurity2017.com even though the site was not hosted on a domain belonging to Equifax nor did it come with standard security applications.

Fail after fail

The revelations of additional data hacked came to light after investigation by celebrated activist and Senator, Elizabeth Warren.

At the time Equifax faced criticism when it was revealed the firm took four months before disclosing the hack and the vulnerable server attributed to the hack had not been patched.

Even after Equifax had disclosed the breach it struggled to inform users, many had little idea the company had held data on them.

In October, when I asked the CEO about the precise extent of the breach, he couldn’t give me a straight answer. So, for five months I investigated it myself.

My investigation revealed the depth of the breach and cover-up at Equifax. And since I published the report. Equifax has confirmed it is even worse than they told us.

- Senator Elizabeth Warren: Democrat, US Senate Banking Committee

In its defence, Equifax declared the committee’s findings were deeply misleading but did confirm that additional data was impacted by the breach.

The company said it had always been upfront about the hack and had informed customers with direct email notices and the number of affected customers had not changed.

Equifax CEO Richard Smith, who was rebuked at a hearing in November for failing to answer questions about the breach, was forced to retire. Others to fall on their swords included the Chief Security Officer Susan Mauldin.

Equifax reported they had recently appointed her replacement Jamil Farshchi who had previously worked at Home Depot.

Under his watch the home improvement company suffered a data breach in 2014 in which email addresses and payment card data were stolen affecting 56 million Home Depot customers.

Since the breach both Senator Warren and fellow committee member Senator Mark Warner have introduced the Data Breach Prevention and Compensation Act.

The Act will hold credit reporting agencies, such as Equifax accountable for data breaches that put consumer data at risk. And if passed Equifax could face billions in fines.

MAIN IMAGE: GotCredit/CC BY 2.0

Tim Bamford author picture


Tim is a veteran freelance journalist writing extensively on internet news and cybersecurity.