Equifax revealed in a government filing a complete breakdown of how many records in each category of personal information was compromised in the massive data breach the financial firm revealed last fall included more than 100 million names, birthdates and Social Security numbers.
This latest chapter in the Equifax data breach saga, which began in September 2017 when the company reported it missed finding and patching an Apache Struts vulnerability leading to the data of 147.9 million consumers being compromised, was revealed in a U.S. Securities and Exchange Commission (SEC) Form 8-K filing dated May 4.
Equifax reported 146.6 million names, 146.6 million dates of birth, 145.5 million Social Security numbers, address information for 99 million, the gender of 27.3 million people, 203.3 million phone numbers, the driver's license numbers of 17.6 million people, 1.8 million email addresses, the payment card numbers and expiration dates for 209,000 people, the TaxIDs of 97,500 and driver's license states for 27,000 people.
In addition the SEC form revealed that specifically 38,000 driver's licenses, 12,000 Social Security or taxpayer ID cards, 3,200 passports or passport cards and 3,000 other government-issued identification documents such as military IDs, state-issued IDs and resident alien cards were among the pieces of personally identifiable information exposed when the Equifax dispute portal alone was breached.
The new information does not add any additional victims to the total but gives a great more detail on the type of information the breach exposed.
This information was uncovered when the company analyzed the government-issued identifications contained in the images uploaded in the dispute portal by the consumers affected. This analytical effort was done at the behest of the government and has enabled Equifax to fully detail not only the information above, but categorize all the breached material.
“We already knew that the scale of this breach was staggering, but it is still shocking that it was caused by just one piece of insecure software,” said Andrew Avanessian, Avecto COO.
The Apache Struts vulnerability, which has been patched for more than a year, is still plaguing top companies with a new report finding half of global Fortune 100 continue to download flawed Apache Struts used to breach Equifax.