The credit rating agency said it didn’t originally announce “potential” data points, like tax identification numbers, that “may have been accessed” by hackers.
Hackers stole more data from Equifax in a breach last year than initially thought.
In September, the Atlanta, GA-based credit giant revealed a huge data breach, including names, social security numbers, birth dates, home addresses, and in some cases driver’s license numbers. It was later confirmed over 145 million were affected, primarily Americans, but also some Canadians and British citizens.
The hack became the largest single data breach reported in 2017.
But documents seen by members of the Senate Banking Committee suggest the types of data stolen were wider than the company first reported.
A letter published Friday by committee member Sen. Elizabeth Warren (D-MA) to acting Equifax chief executive Paulino do Rego Barros summarized the senator’s five-month investigation into the Equifax breach, which said tax identification numbers (TINs), email addresses, and additional license information — such as issue dates and by which state — were not originally disclosed,
The news of the documents was first reported by The Wall Street Journal.
Tax identification numbers are usually issued by the Internal Revenue Service to workers who aren’t eligible for a Social Security number, like foreign nationals, in order to report income and file tax returns.
The exposure of tax identification numbers was likely because they were found in the same portion of the database where other tax numbers, like Social Security numbers, were stored.
Commenting in several tweets, Warren said: “In October, when I asked the CEO about the precise extent of the breach, he couldn’t give me a straight answer. So for five months, I investigated it myself.”
“My investigation revealed the depth of the breach and cover-up at Equifax,” she added. “And since I published the report, Equifax has confirmed it is even worse than they told us.”
When reached, an Equifax spokesperson called the Journal’s headline “extremely misleading,” but confirmed that some additional data points were impacted by the breach.
“We are fully aware — and have been — of the data that was stolen,” said spokesperson Meredith Griffanti in an email to ZDNet.
The company said it has always been up front about the data “primarily included” in the data breach, but recently gave the Senate Banking Committee data points “that may have been accessed that we categorized and analyzed in the forensic investigation.”
“Some of these were impacted — and some, like passports or [card verification numbers] for example, were not,” said Griffanti.
“We sent direct mail notices to those consumers whose credit card numbers or dispute documents with [personal data] were impacted,” the spokesperson confirmed.
In the company’s response to lawmakers, Equifax said the list of types of stolen data is “not exhaustive,” but represents common kind of personal data that hackers search for.
The company said that the number of impacted consumers has not changed.
Since the breach, the company has been accused of persistently botching its response. Not only did Equifax take four months to disclose the hack, the breach was later attributed to a vulnerable server that the company had failed to patch earlier in the year. After the hack was eventually disclosed, Equifax struggled to inform its users — many of which had no idea the company was hoarding data on them in the first place — if they were vulnerable.
Lawmakers have also expressed their frustration at the company’s handling of the incident.
Richard Smith, who retired as the company’s chief executive following the breach, was later rebuked by lawmakers at a hearing in November for failing to answer basic questions about the hack.
Although lawmakers vowed to investigate, the government body charged with consumer protections, the Consumer Financial Protection Bureau, reportedly halted its investigation following a change in leadership.
Several senators have demanded answers to know why the investigation stopped.
Meanwhile, Warren, along with fellow committee member Sen. Mark Warner (D-VA), introduced the Data Breach Prevention and Compensation Act, which the senators said in comments will hold large credit reporting agencies accountable for data breaches involving consumer data.
The bill, if passed, would fine credit rating giants $100 for each consumer who had one piece of personal data stolen, and $50 for each additional set of personal data compromised.
Under the legislation, Equifax would have to pay billions in damages for its 2017 breach.