Equifax: Hackers Also Compromised Driver's Licenses, Passports

Equifax told the Securities and Exchange Commission (SEC) that the data breach it revealed in 2017 compromised more data than previously thought. The company now believes more than 56,000 people had their driver's licenses, passports, and other IDs stolen during the incident.

This is just the latest revelation in Equifax's long series of disclosures related to this data breach. Original estimates in September 2017 said the names, birthdays, email addresses, Social Security numbers, and other personally identifiable data of 143 million Americans were compromised. That number jumped to 145.5 million people a month later. Then, earlier this March, the company said another 2.4 million people were affected.

Equifax has also failed to correctly assess where the people affected by this breach live. The fallout was originally thought to be limited to North America, but in October 2017, the company said thousands of people in Canada and hundreds of thousands of people in the UK were also affected. Now, in addition to not knowing how many people were affected or from where, it seems Equifax didn't know what was taken, either.

But that didn't stop the company from including estimates in its letter to the SEC. Here's Equifax's guess as to how many people were affected:

The company also broke down the compromised ID forms it disclosed in this letter. Equifax said the breached database included the driver's licenses of 38,000 people; the Social Security or taxpayer ID cards of 12,000 people; the passports of 3,200 people; and other forms of identification, such as state-issued ID cards or military IDs, of another 3,000 people. (Again, that's just what the company knows now.)

Equifax said in its letter to the SEC that the "data described above is not additional stolen data, and it does not impact additional consumers," which is its way of saying it hasn't suffered another data breach. It's merely clarifying what was taken in the previously disclosed breach. Hopefully the company won't have to make similar clarifications about who was affected by the breach and how going forward.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Giroro
    Why and how would Equifax have copies of people's ID cards? Was this just some HR database of Equifax employees?
    Reply
  • stdragon
    20952040 said:
    Why and how would Equifax have copies of people's ID cards? Was this just some HR database of Equifax employees?

    Equifax is one of the BIG THREE bureaus: The other two being Experian and TransUnion. Basically, anytime you open a line of credit (new credit card, car loan, mortgage, default on payment..etc), your info goes and gets pulled from there.

    Put it another way. If you needed info to conduct ID theft, you couldn't have picked a better place to hack. It's literally a trove of personal information to obtain!!!

    As for the hack itself - it was in part because of a then zero-day exploit in Apache Struts 2.

    https://www.theregister.co.uk/2017/03/09/apache_under_attack_patch_for_zero_day_available/

    Reply
  • derekullo
    They also stole;
    A copy of all your exams from grades 1-12 (Calculating risk starts young)
    A copy of your social security card
    A copy of your medicaid card
    A copy of your marriage license (If you are not married they still have a copy, good luck disputing it without a lawyer)
    The rights to your first born child (retroactive of course)
    The best parking spot at work
    The last parking spot at work
    Your personal diary
    Your real personal diary
    The last 2 pieces of fish at Piccadilly
    Reply
  • kenjitamura
    Equifax must be mighty happy to live in the country with some of the most lax punishments for white collar crimes in the world.

    And in this political climate the people are much more likely to care about the perceived damage immigrants pose over something minor like a string of identity thefts that will leave them in desperate need of some of the social safety net that is now top priority for spending cuts.
    Reply
  • Co BIY
    "Why and how would Equifax have copies of people's ID cards? Was this just some HR database of Equifax employees?"

    My guess is individuals who have had a previous identity theft problem and used copies of government issued ID to prove who was who. (Explains the small number compared to total records.)
    Reply
  • hixbot
    It's absolutely criminal that Equifax kept so much information un-encrypted. The hackers just had to break into the database, and all the data was plain text. I don't understand why the media freaks out about a facebook data breach, your likes and dislikes and social media patterns, congress drags Zuckerberg to testify, this is all minor compared to the Equifax hack. Equifax needs to answer for there crimes. Where is the mainstream media's outrage? Where is congress on this one? This is big stuff! Credit information, all your critical ID data. We're talking about potential ID theft on a massive scale. Likely state sponsored hackers in China, NK, Russia are selling your ID info to thieves. This needs to be a bigger deal!
    Reply
  • stdragon
    Criminal? Nah, they're "too big to fail". That precident has been set with the bailout of the banks durring the housing crisis.
    Reply