The largest breach of 2017 may have been even more serious than initially thought: The cybercriminals behind the Equifax hack accessed user data not previously disclosed by the company, including tax identification numbers, email addresses, and driver’s license information, The Wall Street Journal reported.
- The criminals behind the Equifax breach accessed user data not previously disclosed by the company, including tax identification numbers, email addresses, and driver’s license information (as described several months ago in a press release ) .
- The Equifax hack and its aftermath should serve as a wake-up call to enterprises about the importance of strong cybersecurity practices.
The Equifax breach, first disclosed in September 2017, impacted 145.5 million people, compromising their names, Social Security numbers, dates of birth, and addresses. The fallout should serve as a wake-up call for enterprises about the consequences of poor security practices, and encourage them to keep up with cyber best practices, TechRepublic contributing writer Matt Asay noted.
The additional data accessed was uncovered by Senate Banking Committee member Elizabeth Warren, after a five-month investigation detailed in a Friday letter to acting Equifax chief executive Paulino do Rego Barros.
It is not yet clear how many of the 145.5 million people are affected by the additional data accessed, the Journal noted.
“We are fully aware — and have been — of the data that was stolen,” Equifax spokesperson Meredith Griffanti told our sister site ZDNet. Griffanti said that the company had always been clear about the data “primarily included” in the breach, but that it has recently given the Senate Banking Committee information “that may have been accessed that we categorized and analyzed in the forensic investigation.”
“We sent direct mail notices to those consumers whose credit card numbers or dispute documents with [personal data] were impacted,” Griffanti told ZDNet.
Equifax’s response to the breach has been widely criticized: First, the company established a data breach checker that was essentially useless. Then, it tweeted a link to a fake phishing site in an attempt to direct affected customers to their support site.