Equifax details numbers of its infamous data breach

by Gabriel E. Hall - - 2018-05-09

Equifax reveals that 3.6 million more people were affected by the data leak

Equifax data breach numbers announced

Equifax, a consumer credit reporting agency, has finally sent an official report to a few US Congressional committees regarding the massive data breach that was revealed on September 2017.^[1] The company had previously exposed the approximate number of its data breach, which totaled to 143 million consumers from UK, USA and Canada. The massive information leak occurred after Equifax failed to identify and patch Apache Struts^[2] vulnerability.

On May 4, it was revered in a U.S. Securities and Exchange Commission (SEC) Form 8-K filing^[3] that the personal data of as many as 146.6 million users was leaked. As it is obvious, 3.6 million more people than it was initially announced by the company fell victims of the information breach. Sure, it does not seem like a huge difference, but there is yet another 3.6 million people who haven't been warned about this incident properly.

Type of exposed data announced

Equifax has also reported more details involving the incident, including the following numbers of lost data:

Name – 146.6 million
Date of Birth – 146.6 million
Social Security Number – 145.5 million
Address Information – 99 million
Gender – 27.3 million
Phone Number – 20.3 million
Email Address – 1.8 million
Payment Card Number and Expiration Date – 209,000
TaxID – 97,500
Driver’s License State – 27,000

Additionally, the SEC form revealed the amount of certain government-issued identification card pictures exposed (note: the “Other” category includes such documents as state-issued IDs, military IDs and similar):

Driver’s License – 38,000
Social Security or Taxpayer ID Card – 12,000
Passport or Passport Card – 3,200
Other – 3,000

These details were discovered when the company analyzed the government-issued IDs which were uploaded to the official dispute portal by victims.

Data breaches are becoming more frequent – security measures should be undertaken

Equifax is not the only company that got affected by Apache Struts vulnerability. There are as much as 10,801 organizations that are also believed to download and implement the vulnerable versions of the software. According to the research, 57% of those affected companies were included in Fortune Global 100.^[4]

According to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, even Equifax could have avoided the terrible data breach, if only they would patch it on time:

Seven months should be enough time for organizations to install the necessary patches and it's unfortunate that so many still choose to download the older vulnerable versions. There is really no excuse for this. CVE-2017-5683 was fixed in the Apache Struts versions 2.5.13 in September 2017

In addition to software vulnerabilities, there are also chances of other data leaks, including system bugs^[5] or accidental exposure. Therefore, it is vital to not only patch software on time and obtain reputable security software, but also keep passwords safe and change them regularly.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Gabriel E. Hall. Equifax breach: 143 million Americans are at risk of identity theft. 2-spyware. Cybersecurity news and articles.
^ Michael Heller. Apache Struts vulnerability blamed for Equifax data breach. SearchSecurity. Source for security information.
^ EQUIFAX’S STATEMENT FOR THE RECORD REGARDING THE EXTENT OF THE CYBERSECURITY INCIDENT ANNOUNCED ON SEPTEMBER 7, 2017. Securities and Exchange Commission. Form 8-K.
^ Global 500. Fortune. News network.
^ Lindsey O'Donnell. Twitter urges users to change passwords due to glitch. ThreatPost. An independent news site.