A massive data breach that the U.S. credit rating agency Equifax suffered last year may have compromised more personal information of customers than the agency initially revealed.
Equifax has earned the wrath of lawmakers in the U.S. for issuing ‘incomplete, confusing and contradictory statements’ regarding the true impact of last year’s data breach.
Back in January, Equifax announced that in addition to 693,665 Britons whose driving license numbers, Equifax usernames, passwords, email addresses and partial credit card details were compromised by last year’s data breach, phone numbers of a further 167,431 British customers were also exposed to hackers behind the incident.
However, Equifax added that since such phone numbers were already publicly available in the Phone Book before they were accessed by the hackers, these customers were not exposed to any further risk.
The fact that Equifax did not initially reveal accurate details of the amount of data compromised by the breach was also revealed after CNN Money accessed confidential documents Equifax provided to the Senate Banking Committee.
While Equifax initially stated that driving license numbers of some of its customers were compromised by the breach, the documents revealed that the breach also exposed license states and issue dates associated with such driving licenses. They also revealed that tax IDs of some Equifax customers were also exposed to hackers last year.
‘As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?’ wrote Democratic Senator Elizabeth Warren in a letter to Equifax CEO Paulino do Rego Barros Jr.
Equifax, in turn, told CNN Money that ‘the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information’. The agency also told lawmakers that the initial list of affected information was ‘not exhaustive’ but represented ‘common personal information that hackers usually search for’.
The news comes not long after Reuters revealed that following the appointment of Mick Mulvaney as its new director, the U.S. Consumer Financial Protection Bureau put on hold a full-scale investigation into how Equifax failed to protect personal details of millions of customers following the breach.
‘Three sources say, though, Mulvaney, the new CFPB chief, has not ordered subpoenas against Equifax or sought sworn testimony from executives, routine steps when launching a full-scale probe. Meanwhile the CFPB has shelved plans for on-the-ground tests of how Equifax protects data, an idea backed by Cordray.
‘The CFPB also recently rebuffed bank regulators at the Federal Reserve, Federal Deposit Insurance Corp and Office of the Comptroller of the Currency when they offered to help with on-site exams of credit bureaus, said two sources familiar with the matter,’ said Reuters. This was quite a departure from the CPFB’s previous stand when it was headed by Richard Cordray.
After Equifax announced the breach to the public last year, Cordray had announced that his department would conduct a full-scale investigation into how Equifax failed to protect personal details of millions of customers. Cordray had also expressly asked bank regulators to join in fresh cyber security exams of the bureaus after the breach took place.
Despite such concerns, Equifax continues to be involved in the identity security system for the MySocialSecurity online portal which is owned by the US’s Social Service Administration.
In fact, according to POLITICO, Equifax was awarded a $7.25 million contract in October last year ‘to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.’