Brian Jackson - Fotolia

Equifax ups breach figure by a further 2.5 million

Credit rating agency Equifax has increased the number of US records believed to have been compromised in 2017

Equifax has once again revised upwards by 2.5 million the number of US records breached between mid-May and July 2017, bringing the total to 148 million.

The company initially said 143 million records had been exposed when it reported the breach in September 2017, but a month later it increased the figure by 2.5 million to 145.5 million, saying the affected data included names, addresses and social security numbers.

Equifax said the new total was the result of continued analysis of the breach, and that the company would notify the newly identified US consumers directly and offer identity theft protection and credit file monitoring services at no cost. However, the company said only the names and driver’s licence numbers were exposed in the newly discovered cases.

The breach, which was blamed on a failure to patch all Equifax IT systems to prevent hackers from taking advantage of a vulnerability in the Apache Struts web application framework, also affected around 694,000 UK consumers.

The UK data was restricted to name, date of birth, email address and a telephone number, but did not include any residential address information, password information or financial data, said Equifax.

The announcement of the additional US consumers affected coincided with the release of the company’s earnings statement for the fourth quarter and full year that revealed the breach cost $114m after insurance payouts.

The breach also saw the departure of CEO Richard Smith, chief information officer Susan Mauldin and chief security officer David Webb.

Despite the breach, the company reported profits of $587.3m, a rise of 20% compared with the full year 2016, due to a strong performance in its international business and new tax cuts approved in the US.

Read more about the Equifax breach

  • Heads roll as Equifax reveals 400,000 Britons affected by breach.
  • Equifax appears to have failed to roll out a patch that might have stopped breach of its systems.
  • Experts criticise Equifax breach response as insufficient and say the company was likely not prepared for such an incident.
  • While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.

Paulino Barros, interim chief executive officer at Equifax, said the company had invested heavily in advancing its data security infrastructure and improving consumer support.

Equifax has been criticised widely over the breach and for taking so long to notify those affected by it, but Barros went on to say: “While the job [of advancing the company’s data security] is not over, I believe we have responded well thanks to the strong support of our board of directors, the commitment of our senior leadership team, outside partners, and the dedication of our 10,000+ employees around the world.”

There will be a lot of “heavy lifting” in 2018 and 2019, he said, as Equifax implements new data security initiatives to restore confidence with customers and consumers.

“I sense a great level of enthusiasm and commitment to move this company forward with a heightened level of focus on protecting and safeguarding all of the consumer and commercial information we store and manage,” Barros added.

Giovanni Vigna, co-founder and CTO of security firm Lastline, said the fact that Equifax had found another 2.5 million consumers affected by the breach months after it was discovered showed how difficult it was to determine the extent of a breach.

“Personal information can be retrieved using a simple SQL query against a database, or could be found in log files from applications such as web proxies and mail servers,” he said.

“When organisations whose sole existence is collecting and managing the most intimate of personal data can’t truly determine the scope of an incident months after, are we certain we’re doing everything we can to protect our own customers’ data?”
Richard Henderson, Absolute

“That’s why it is important to characterise the classes of information handled by internal processes and understand where the information could be stored as a side-effect of application-level actions,” Vigna added.

Richard Henderson, global security strategist at security firm Absolute, said the latest news around the Equifax breach should be ringing alarm bells at every other corporation in the world.

“They should be asking themselves this simple question: when organisations whose sole existence is collecting and managing the most intimate of personal data can’t truly determine the scope of an incident months and months after, are we certain we’re doing everything we can to protect our own customers’ data?” 

Equifax reportedly holds data on more than 820 million consumers, as well as information on 91 million businesses.

Read more on IT for financial services