The Equifax Breach: By the Numbers

The credit reporting company filed documents with Congress and federal regulators detailing the breadth of personal data exposure in the 2017 breach.

by Michael E. Kanell, The Atlanta Journal-Constitution / May 9, 2018
Equifax has filed documents with Congress and federal regulators detailing the breadth of the massive data breach the company suffered last year. (Dreamstime/TNS) TNS

(TNS) — Equifax this week filed documents with Congress and federal regulators detailing the breadth of the massive data breach the company suffered last year.

While the outlines of the hacking were known, the filing was an attempt to pin down the number of files accessed in various categories.

According to the Equifax statements filed by the Atlanta-based company with the Securities and Exchange Commission and several Congressional committees, among the data accessed by the hackers:

  • 146.6 million names
  • 146.6 million dates of birth
  • 145.5 million Social Security numbers
  • 99 million addresses
  • 20.3 million phone numbers
  • 17.6 million driver’s license numbers
  • 1.8 million email addresses
  • 97,500 TaxID’s

The papers were filed, the company said, in response to government requests for information.

Equifax first announced the breach on Sept. 7, going quickly from obscure credit agency to household name — and not in a good way. Over the next several months, the company periodically reported new categories of data that had been accessed. It also bore the brunt of angry Congressional questioning and talk show ridicule.

Company Chief Executive Rick Smith retired under pressure. A new CEO was named in March. The company hired a new data security guru away from Home Depot. One of its rising star tech executives was charged with insider trading. Sen. Elizabeth Warren scalded the company in a report.

At least, profits were up.

In the papers filed this week, the company said the consumer records had been stolen from “a number of database tables with different schemas.”

The company says it worked with Mandiant, a cybersecurity firm, to determine which consumers had their personally identifiable information stolen. But in this week’s filings, Equifax says “the additional detail provided does not identify additional consumers affected, and does not require additional consumer notifications.”

©2018 The Atlanta Journal-Constitution (Atlanta, Ga.) Distributed by Tribune Content Agency, LLC.