The September 2017 Equifax data breach is the awful gift that keeps on giving.
This week, officials at Equifax, an Atlanta-based credit reporting agency, disclosed more context behind their massive 2017 data breach, which saw personally identifiable information like Social Security numbers and home addresses for 146.6 million Americans stolen in a cyberattack. (If you suspect that you were included in the attack, check out the Federal Trade Commission’s information on the incident.)
Congress pushed the agency to release more granular information after an initial response some critics found lacking. In a Monday filing with the U.S. Securities and Exchange Commission (SEC), Equifax administrators claimed hackers pilfered tens of thousands of vital documents in the attack, including:
- 38,000 driver’s licenses
- 12,000 Social Security/taxpayer ID cards
- 3,200 passports and passport cards
- 3,000 military IDs, state IDs, and resident alien cards
These records are what the Equifax report authors refer to as “dispute documents,” i.e., forms and papers used to dispute mistakes in a person’s credit report. Hackers exposed the documents by accessing the company’s “dispute portal.” Altogether, up to 182,000 U.S. customers submitted documents to the dispute portal. Equifax officials did include these customers in the initial 146.6 million estimate and have since reached out to them via direct mail. In Equifax’s early disclosures, reports mentioned 97,500 customers who’d had their driver’s license numbers accessed but did not mention the full dispute documents.
The danger in cyber-attackers having access to multiple types of documents in addition to what they already had—145 million Social Security numbers, 99 million addresses, 17.6 million email addresses, and 209,000 credit card numbers—is that it can increase the likelihood of ongoing identity fraud, according to arstechnica.com’s Dan Goodin.
If you suspect you’ve been a victim of identity theft, see the FTC’s guide to lost and stolen information.