tadamichi - Fotolia

Equifax breach worsens, additional consumer data exposed

The Equifax breach compromised even more consumer data, including tax identification numbers, than originally reported. But the credit rating agency didn't disclose the update.

Equifax acknowledged its 2017 breach exposed more consumer data than it previously claimed, raising questions about why it didn't inform the public of the expanded scope of the incident.

The Equifax breach, which was first disclosed in September, exposed the personal information of over 145 million consumers. The credit-reporting giant said then that the compromised data included customers' names, Social Security numbers, birthdates, addresses, and some driver's license and credit card numbers.

But according to a report from the Wall Street Journal, a document Equifax submitted to the Senate Banking Committee revealed even more types of data were compromised. Most notably, the document said consumers' tax identification numbers, email addresses and driver's license information beyond the numbers were also exposed.

The original Equifax breach disclosure also said 143 million U.S.-based consumers were affected, but later revised that and said an additional 2.5 million consumers were affected, not including the hundreds of thousands of consumers affected in the U.K.

The revised number was made public in October after Equifax completed its internal investigation into the data breach, which was led by security vendor Mandiant. Equifax spokesperson Meredith Griffanti told SearchSecurity the investigation "uncovered everything," including the exposed tax identification numbers.

However, the full extent of the consumer data compromised in the Equifax breach was never directly disclosed by the company and wasn't made public until the Wall Street Journal's report last week. Griffanti told SearchSecurity that the number of affected consumers has not risen -- it remains at 145.5 million. "We're not trying to downplay anything," Griffanti said, adding that media coverage of this discovery has been "misleading."

Griffanti emphasized the original press release put out by Equifax said "information accessed primarily includes" Social Security numbers, birthdates and addresses.

"The information we've given to the public has stayed consistent," Griffanti said. "We had no intention of being inconsistent."

The full list of exposed data was only provided to the Senate Banking Committee. The exact date the document was submitted to the Senate Banking Committee is unclear, though a letter from Sen. Elizabeth Warren (D-Mass.) said it was submitted in "early 2018."

Warren also recently released a scathing report following her five-month investigation into the Equifax breach response. In the report, Warren criticized Equifax's handling of earlier disclosures about the breach, including the original notification process.

The breach occurred in May 2017, but Equifax didn't notice until July, and then didn't publicly disclose it until September.

"By failing to provide adequate information in a timely fashion, Equifax robbed consumers of the ability to take precautionary measures to protect themselves, materially injured investors and withheld market-moving information, and prevented federal and state governments from taking action to mitigate the impacts of the breach," Warren wrote in the report.

Equifax came under widespread criticism for its handling of the data breach. Beyond the time it took to alert the public to the security incident, the company also came under fire for what happened after the breach. For example, a website Equifax set up to help worried consumers figure out if their data was exposed in the breach was itself targeted by drive-by download attacks.

In addition, lawmakers criticized Equifax's breach response during a hearing for the Senate Committee on Commerce, Science, and Transportation in which interim CEO Paulino do Rego Barros Jr. admitted he didn't know if the company was currently encrypting consumer data.

Griffanti said the website was, and still is, the most secure way for consumers to check to see if their information has been compromised, though it hasn't been updated since October 2017 and doesn't include information about consumers' tax identification numbers and email addresses being exposed.

Dig Deeper on Data security and privacy