Equifax told the Securities and Exchange Commission (SEC) that the data breach it revealed in 2017 compromised more data than previously thought. The company now believes more than 56,000 people had their driver's licenses, passports, and other IDs stolen during the incident.
This is just the latest revelation in Equifax's long series of disclosures related to this data breach. Original estimates in September 2017 said the names, birthdays, email addresses, Social Security numbers, and other personally identifiable data of 143 million Americans were compromised. That number jumped to 145.5 million people a month later. Then, earlier this March, the company said another 2.4 million people were affected.
Equifax has also failed to correctly assess where the people affected by this breach live. The fallout was originally thought to be limited to North America, but in October 2017, the company said thousands of people in Canada and hundreds of thousands of people in the UK were also affected. Now, in addition to not knowing how many people were affected or from where, it seems Equifax didn't know what was taken, either.
But that didn't stop the company from including estimates in its letter to the SEC. Here's Equifax's guess as to how many people were affected:
The company also broke down the compromised ID forms it disclosed in this letter. Equifax said the breached database included the driver's licenses of 38,000 people; the Social Security or taxpayer ID cards of 12,000 people; the passports of 3,200 people; and other forms of identification, such as state-issued ID cards or military IDs, of another 3,000 people. (Again, that's just what the company knows now.)
Equifax said in its letter to the SEC that the "data described above is not additional stolen data, and it does not impact additional consumers," which is its way of saying it hasn't suffered another data breach. It's merely clarifying what was taken in the previously disclosed breach. Hopefully the company won't have to make similar clarifications about who was affected by the breach and how going forward.