The hack became the largest single data breach reported in 2017.
Hackers likely stole more data from Equifax in a breach last year than initially thought, according to the results of an investigation by a senior lawmaker.
In September, the Atlanta, GA-based credit giant revealed a huge data breach, including names, social security numbers, birth dates, home addresses, and in some cases driver’s license numbers. It was later confirmed over 145 million were affected, primarily Americans, but also some Canadians and British citizens.
The hack became the largest single data breach reported in 2017.
But documents seen by members of the Senate Banking Committee suggest the types of data stolen were wider than the company first reported.
A letter published Friday by committee member Sen. Elizabeth Warren (D-MA) to acting Equifax chief executive Paulino do Rego Barros summarized the senator’s five-month investigation into the Equifax breach, which said tax identification numbers (TINs), email addresses, and additional license information — such as issue dates and by which state — were not originally disclosed,
The news of the documents was first reported by The Wall Street Journal.
Tax identification numbers are usually issued by the Internal Revenue Service to workers who aren’t eligible for a Social Security number, like foreign nationals, in order to report income and file tax returns.
The exposure of tax identification numbers was likely because they were found in the same portion of the database where other tax numbers, like Social Security numbers, were stored.
Warren also said in her letter that the company „continues to offer vague and misleading statements regarding whether passport numbers were compromised in the breach.“ But the senator, citing another report by the Journal, said Equifax denied that passport numbers were compromised, contrary to the company’s assertion that they were part of the „attacker-accessed tables.“
Commenting in several tweets, Warren said: „In October, when I asked the CEO about the precise extent of the breach, he couldn’t give me a straight answer. So for five months, I investigated it myself.“
„My investigation revealed the depth of the breach and cover-up at Equifax,“ she added . „And since I published the report, Equifax has confirmed it is even worse than they told us.“
In the company’s response to lawmakers, Equifax said the list of types of stolen data is „not exhaustive,“ but represents common kind of personal data that hackers search for.
Equifax spokespeople could not be reached Saturday. If that changes, we’ll update.
Since the breach, the company has been accused of persistently botching its response. Not only did Equifax take four months to disclose the hack, the breach was later attributed to a vulnerable server that the company had failed to patch earlier in the year. After the hack was eventually disclosed, Equifax struggled to inform its customers — many of which had no idea the company was hoarding data on them in the first place — if they were vulnerable.
Lawmakers have also expressed their frustration at the company’s handling of the incident.
Richard Smith, who retired as the company’s chief executive following the breach, was later rebuked by lawmakers at a hearing in November for failing to answer basic questions about the hack.
Although lawmakers vowed to investigate, the government body charged with consumer protections, the Consumer Financial Protection Bureau, reportedly halted its investigation following a change in leadership.
Several senators have demanded answers to know why the investigation stopped.
Meanwhile, Warren, along with fellow committee member Sen. Mark Warner (D-VA), introduced the Data Breach Prevention and Compensation Act, which the senators said in comments will hold large credit reporting agencies accountable for data breaches involving consumer data.
The bill, if passed, would fine credit rating giants $100 for each consumer who had one piece of personal data stolen, and $50 for each additional set of personal data compromised.
Under the legislation, Equifax would have to pay billions in damages for its 2017 breach.
