If you thought the Equifax data breach saga concluded in 2017, you thought wrong. Following a letter sent by Sen. Elizabeth Warren on Feb. 9 which claimed the much-maligned consumer reporting agency had provided “misleading, incomplete or contradictory information” to Congress and the public during the aftermath of the breach, Equifax disclosed documents to the Senate Banking Committee which indicated that the full extent of the breach could be far worse than what is currently known. What might this mean for you as a victim of the Equifax data breach? Why did Equifax fail to disclose certain information until now? What is being done by Equifax and others to right its many wrongs? We’re digging into everything that’s been revealed in recent weeks to keep you up to date.
Forensic investigation revealed the Equifax breach was bigger than reported
Whenever a data breach is discovered and disclosed, there’s a possibility that the numbers reported in the beginning will not match up with those reported after an in-depth investigation is conducted by a cyber forensics team. That’s been true for a number of breaches in the past, and Equifax has already seen its numbers increase several times. Though the data bureau insists that the number of people impacted has not changed, it revealed this week that the cybercriminals responsible for the attack accessed more consumer information than originally reported. This included:
- Tax identification numbers
- Email addresses
- Phone numbers
Additionally, Equifax admitted that some of the “finer” details, such as credit card expiration dates and the issuing states for driver’s licenses, were accessed. The letter from Sen. Warren, which elicited this recent disclosure from Equifax, came as a result of her office’s five-month investigation into the data breach. The politician has criticized the company for using the term “access” when it comes to the data breach, since that implies that the information was merely viewed by the cybercriminals — rather than the reality that the data was taken and could be available to whoever took it (or purchases it down the road) forever. Equifax has come under fire from multiple sources for its handling of the situation, especially the length of time between when the breach first occurred in May 2017 and when it was publicly disclosed in September 2017. While it isn’t exactly surprising that the company is still withholding information from the public, it’s no less worrisome for consumers and lawmakers alike.
Why didn’t Equifax disclose this information until now?
The company claimed that it was not intending to mislead consumers by not disclosing all the potential exposed data. Instead, it claims that it disclosed only the information that affected the greatest number of consumers. The recently revealed elements, an Equifax representative said, impacted a minimal portion of consumers. Regardless, the fact remains that the company only disclosed this information after it was publicly called out on its shady behavior. For a company that is actively trying to repair its reputation, these kinds of disclosures are not going to help it much. One of the biggest problems cited when it came to the poor handling of the breach on Equifax’s part was lack of clear communication — evident when viewing the still-functional data breach disclosure website, which has only been updated once since November 2017 to advertise a new credit locking product launched by Equifax.
What’s being done to make things right?
On its part, beyond offering free credit monitoring and identity theft protection to impacted consumers (note that the enrollment period ended on Jan. 31, 2018), Equifax has committed to upping its security game — quadrupling its cybersecurity spending and hiring a brand new Chief Information Security Officer. Hired just this week, former Home Depot CISO Jamil Farshchi has experience navigating the murky waters of the post-data breach landscape for a company. Still, for many consumers, the response has been and remains lackluster. The fact that we’re just now hearing about tax identification numbers, phone numbers and email addresses being revealed, after tax season has already begun, is exceptionally frustrating. Tax identity theft is a concern for many more consumers this year thanks to the Equifax breach, and both phone numbers and email addresses are highly useful for a number of schemes including phone scams and phishing attacks. Accountability is something that is needed now more than ever, especially when it comes to the collection and storage of mass amounts of personal consumer information.
Unfortunately, it’s a mixed bag when it comes to the government’s response to the Equifax breach (and others like it). The Consumer Financial Protection Board, under new leadership, has recently suspended its investigation into the matter, and while some efforts are being made in Congress by way of draft legislation, it’s a long way off from being law. The best thing consumers can do is to contact their representatives to demand legislation that will hold companies like Equifax accountable. In the meantime, you can try to protect yourself by taking actions such as freezing your credit, filing your taxes as soon as possible and consider investing in credit report monitoring and identity theft protection from a company which provides access and alerts for all three of your credit reports.
To learn more about protecting your identity as well as keep up to date on the latest news in identity theft and cybersecurity issues, follow our blog.
Jocelyn is a NextAdvisor.com writer with a love for coffee, reading and all things personal security. She currently covers identity theft, credit monitoring and credit cards. She has been a guest on several radio shows nationwide and her cybersecurity and personal finance expertise have been featured by Forbes, USA Today, Kiplinger’s Personal Finance, The Huffington Post and more. She is a graduate of Syracuse University with a dual degree in Writing and Rhetorical Studies and Anthropology. Follow her on Twitter @JocelynAdvisor.