Equifax reveals full horror of its data breach
Equifax has published yet more detail on the data lost in its now-infamous 2017 data breach.
The good news: the number of individuals affected in the breach hasn’t increased from the 146.6 million it previously announced, but extra data records turned up in Mandiant’s ongoing audit of the breach.
In February, in response to questions from Senator Elizabeth Warren, Equifax agreed that card expiry dates and tax IDs could have been among the lost data, but it hadn’t yet worked out how many people were affected.
Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Late last week, the company gave the numbers in letters to the various congressional committees investigating the breach, and on Monday, it filed the letter with the SEC.
As well as the (take a breath) 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) breached, the company says, there were also 38,000 US drivers’ licenses and 3,200 passport details.
The further details emerged after Mandiant’s investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.”
The extra data elements, the company said, didn’t involve any individuals not already known to be part of the breach, so no additional consumer notifications are required.
The breach occurred because Equifax ran an unpatched version of Apache Struts, something it blamed on a single employee.
At February’s RSA conference in San Francisco, Derek Weeks of Sonatype claimed “thousands” of companies continued to download vulnerable versions of Struts (video below). ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/