Equifax Finds 2.4 Million New Data Breach Victims

Equifax released new information from its on-going data breach investigation, including the fact that it found another 2.4 million people who were affected by the attack.

Equifax Data Breach Gets Worse

Last year, Equifax announced that 143 million people were affected by one of the most significant data breaches in history, which exposed people’s Social Security numbers and other personal information.

Later, the company announced that it found another 2.5 million people who were affected by the breach, reaching 145.5 million people. Now, that number increased to 147.9 million, and it’s possible that the company will find new affected users by the time it concludes the investigation.

The data belonging to these last 2.4 million people didn’t include Social Security numbers--it was only partial driver’s license information. It did not include consumers' home addresses, or their respective driver's license states, dates of issuance, or expiration dates.

Paulino do Rego Barros, Jr., Interim Chief Executive Officer at Equifax, said the following in a press release:

This is not about newly discovered stolen data. It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.

Equifax also noted that it will offer identity theft protection and credit file monitoring services at no cost to affected consumers. On January 31,  the company launched a mobile app called Lock & Alert that allows consumers to lock and unlock their Equifax credit at will to stop some of the potential abuses of the stolen identity data. The service will be free for life.

However, what Equifax doesn’t say is that criminals will be able to exploit the stolen Social Security numbers and driver’s license information for more than just credit fraud. Malicious actors will continue to abuse this information until the U.S. government comes up with a more secure identity system that doesn’t involve having citizens share their supposedly secret identifiers with almost any company that asks for them. In this particular case, it was the banks and retailers that shared people's Social Security numbers with Equifax and other credit reporting agencies.

Congress Has Protected Equifax

Last year, Equifax encouraged consumers to visit a newly set up site to check whether or not their data was stolen. However, the moment they did that, Equifax bound them by an arbitration agreement that forbid those people from suing the company over the data breach.

Normally, these agreements are not legally binding, but soon after Congress passed a law that would enforce such agreements. It’s still not clear whether or not this law is constitutional, and that would have to be proven in court first. Equifax eventually removed this agreement from its site after some backlash.

Senator Elizabeth Warren, who recently introduced legislation to hold credit reporting agencies liable for data breaches, said in an interview with Marketplace that Equifax may be able to profit from its own data breach:

Equifax may actually make money off this breach because it sells all these credit-protection devices, and even consumers who say, "Hey, I'm never doing business with Equifax again," well, good for you, but you go buy credit protection from someone else, they very well may be using Equifax to do the back office part. So Equifax is still making money off their own breach.

It makes sense that if companies aren’t liable in any way for data breaches, then they are not only encouraged to gather as much data as possible about anyone, but they may be much more careless with their security practices, too.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Christopher1
    Can we shut down Equifax? Seriously: If this kind of stuff is going on then we NEED to either clamp down on these companies (require them to have very good security practices with punishments if they deviate from them) or just have no 'credit-checking' companies in the first place.