An ongoing review of last year’s Equifax data breach has revealed millions more consumers than previously thought had their data exposed.
In an announcement last Thursday, Equifax said an additional 2.4 million persons whose names and partial driver’s license information were stolen in the breach but who had not been included in earlier analyses.
The new discovery brings the tally to 147.9 million consumers whose personally identifiable information was exposed in last year’s Equifax data breach.
The new victims were discovered through an analysis of company records that were not exposed in the Equifax data breach, with the help of a third-party data provider. The investigation has yet to reveal the identity of the hackers. In most cases, Equifax says, the exposed driver’s license information did not include the victim’s home address, state or date of license issuance, or license expiration date.
This subset of victims escaped previous analyses of the Equifax data breach, which focused on victims whose Social Security numbers were stolen. Investigators determined that the hackers were most interested in acquiring Social Security numbers. Social Security numbers were not included in the stolen driver’s license information for the new group of victims.
Interim CEO Paulino do Rego Barros Jr. said in a statement that the newly-identified victims were connected to the known stolen data in the course of the investigation. No new stolen data has been discovered, Barros says.
Equifax says it will notify these newly-discovered data breach victims via mail. The company will offer free credit monitoring and identity theft protection. Information about these services will be included in the notification.
The Equifax data breach was announced in September 2017. Sometime between May and July of that year, hackers were reportedly able to exploit a security flaw in software used to create web applications. The hackers stole records pertaining to millions of consumers – records containing names, birthdates, Social Security numbers, email addresses, credit card numbers, and driver’s license numbers.
Consumers responded quickly with a volley of Equifax class action lawsuits. Plaintiffs say Equifax discovered the breach in July 2017, months before the September 2017 announcement. They allege the company unreasonably delayed announcement of the breach while millions of consumers’ credit information went dangerously exposed.
The plaintiffs also pointed out that Equifax executives dumped around $1.8 million worth of Equifax stock in August 2017, just before the breach was announced.
In addition to private litigation, Equifax is also under investigation by several states’ attorneys general. New York Attorney General Eric Schneiderman has denounced an arbitration clause in Equifax’s terms of service that purports to prevent affected persons from filing an Equifax class action lawsuit. Schneiderman says the clause is “unacceptable and unenforceable.”
Equifax has since clarified that the arbitration clause applies to its Trusted ID Premier service and is not intended to apply to matters related to the Equifax data breach.
Last month, documents submitted to the Senate Banking Committee revealed the Equifax data breach exposed more information than initially announced. Investigation of the breach revealed the hackers gained access to other Equifax company records, in addition to information on individual consumers. Hackers purportedly made off with tax identification numbers, drivers license issuing states, and credit card expiration dates.