Equifax, one of the three national credit reporting agencies, announced today that 2.4 million more persons were affected by its massive data breach in 2017. The March 1st announcement stated, in part:
"Equifax Inc. today announced that the company has confirmed the identities of U.S. consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.
Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates... Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information..."
Equifax will notify the newly identified breach victims via U.S. Postal mail, and will offer them complimentary identity theft protection and credit file monitoring services.
The timeline for the massive breach: intrusions occurred in May (2017), Equifax staff first discovered the intrusions in July (2017); Equifax notified the publicy in September (2017); and now identified 2.4 million more breach victims (March, 2018).
Equifax said in September (2017) that 143 million persons were affected. That was about 44 percent of the United States population. In October (2017), Equifax revised upward the number affected by 2.5 million to 145.5 million persons. What's the new total? Equifax didn't have the guts to admit it in its March 1st announcement. Since the company doesn't seem to want to admit it, I'm going with 147.9 million persons affected -- about 45.6 percent of the population.
So, it took Equifax almost six months after its initial announcement to determine exactly who was affected during its massive data breach. This does not inspire confidence. Instead, it suggests that the company's internal systems and intrusion detection mechanisms failed miserably.
- Equifax Set up a Flawed System to Prevent and Mitigate Data Security Problems
- Equifax Ignored Numerous Warnings of Risks to Sensitive Data
- Equifax Failed to Notify Consumers, Investors, and Regulators about the Breach in a Timely and Appropriate Fashion
- Equifax Took Advantage of Federal Contracting Loopholes and Failed to Adequately Protect Sensitive IRS Taxpayer Data
- Equifax’s Assistance and Information Provided to Consumers Following the Breach was Inadequate.
Equifax's latest breach update highlights item #3: the company's failure to promptly notify consumers. When consumers aren't notified promptly, they are unable to take action to protect their sensitive personal and payment information.
Have we heard the last from Equifax? Will it provide future updates with even more persons affected? I hope not, but the company's track record suggests otherwise.
Equifax has foisted upon the country a cluster f--k of epic proportions = #FUBAR. Businesses and consumers depend upon secure, reliable credit reports. The United States economy relies upon it, too. Equifax executives need to experience direct consequences: fines, terminations, and jail time. Without consequences, executives won't adequately secure sensitive personal and financial information -- and this will happen again. What do you think?