Equifax has published yet more details on the personal records and sensitive information stolen by miscreants after they hacked its databases in 2017.
The good news: the number of individuals affected by the network intrusion hasn’t increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant’s ongoing audit of the security breach.
In February, in response to questions from US Senator Elizabeth Warren (D-MA), Equifax agreed that card expiry dates and tax IDs could have been among the siphoned data, but it hadn’t yet worked out how many people were affected.
Late last week, the company gave the numbers in letters to the various US congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America’s financial watchdog.
As well as the – take a breath – 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers’ licenses and 3,200 passport details lifted, too.
The further details emerged after Mandiant’s investigators helped “standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen.”
The extra data elements, the company said, didn’t involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.
The cyber-break-in occurred because Equifax ran an unpatched and therefore insecure version of Apache Struts, something it blamed on a single employee.
At February’s RSA conference in San Francisco, Derek Weeks of Sonatype claimed “thousands” of companies continued to download vulnerable versions of Struts (follow the link to see the video).