Equifax's Data Breach By the Numbers: 146 Million Social Security Numbers, 99 Million Addresses, and More

Several months after the data breach was first reported, Equifax has published the details on the personal records and sensitive information stolen in the cybersecurity incident. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records accessed by the hackers have turned up in Mandiant's ongoing audit of the security breach," reports The Register. From the report: Late last week, the company gave the numbers in letters to the various U.S. congressional committees investigating the network infiltration, and on Monday, it submitted a letter to the SEC, corporate America's financial watchdog. As well as the -- take a breath -- 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million address information and 209,000 payment cards (number and expiry date) exposed, the company said there were also 38,000 American drivers' licenses and 3,200 passport details lifted, too.

The further details emerged after Mandiant's investigators helped "standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen." The extra data elements, the company said, didn't involve any individuals not already known to be part of the super-hack, so no additional consumer notifications are required.

And Trump's taxes?

Remember when we used to have standards for things?

US numbers are nice and all, but...

How many people from other countries got screwed by Equifax and to what degree? The stories reporting affected people seem to continually ignore the fact that there's more to the planet than the US and companies like Equifax have no qualms about screwing non-USians, too.

Re:US numbers are nice and all, but...

In many other countries, you cannot take someone's money from the bank or take out a loan simply by having a semi-public information like DOB or some ID number or an address.

That would be called fraud, and the bank would be liable for such lost since the bank is the victim.

Only in American would allow the bank to pass the loss (due to their own fault) to their customer, and call that "identity theft".

Re:US numbers are nice and all, but...

[anegg]

Bingo. This comment hits the nail on the head. The idea that Big Institution A wasn't stupid when they gave out cash, goods, or services to an individual who merely claimed someone elses identity without any proof is ridiculous. The fact that the legal system pins the problem on the innocent person who wasn't a party to the deal in the first place is criminal. Put the responsibility back where it belongs - in the hands of the Big Institution who is so eager to do business that they don't properly establish the identity of a person to whom they extend credit.

I am American

I have a very short short term memory. What happened to Equi...Oh look its a bird, its a plane...Oh look, the new season of Survivor is on.

Re:I am American

[ELCouz]

In fact this isn't only a problem with Americans but world wide. People globally just don't give a damn... Where are the pitchforks guys?!

Disclaimer: I am not an American

Re:I am American

In fact this isn't only a problem with Americans but world wide. People globally just don't give a damn... Where are the pitchforks guys?!

  Disclaimer: I am not an American

Pitchforks for what? Just another breach in an epidemic of data breaches over the last 15 years or so? pfft. And that doesn't even cover breaches that have occurred but were never reported. Frankly its never been that difficult to obtain the kind info that was stolen from Equifax about an individual. I wouldn't worry about it.

Re:I am American

Well, they're getting sued silly by tons of class action lawsuits and small claims.

Re:I am American

[sjames]

It does rub salt in the woulds a bit that Equifax has done nothing but make matters worse for people whose ID is used fraudulently, and now they have actually facilitated that same ID fraud on a massive scale.

Detterant

It's a good thing all those executives went to prison so corporations will start taking security seriously.

Oh wait.

Re:Detterant

[ShanghaiBill]

It's a good thing all those executives went to prison so corporations will start taking security seriously.

Sending people to prison for incompetence is silly. America already has far more people in prison than China, Russia or Iran, and four times the incarceration rate of the developed country average.

Non-violent offenders do not belong in prison. For instance, Equifax executives could wear tracking anklets and spend 60 hours a week changing bedpans in nursing homes for the next 10 years. The cost to the taxpayers would be negligible, they would be doing useful work, and they may be back below their level of incompetence.

Re:Detterant

Yeah it'd be much better to do like China, Russia or Iran and just shoot them...

Re:Detterant

Why would the executives go to prison? They didn't hack into Equifax and steal the info. The hackers did that and they're the ones who should be in prison.

Re:Detterant

Non-violent offenders do not belong in prison.

Is that a reference to the poor persecuted drug users? At least when they are locked up, they are not pouring money into the Mexican drug cartels' pockets.

Re:Detterant

[rsborg]

> Sending people to prison for incompetence is silly.

Anything but time served is something the Corporation can just take as an "operating cost". Now how that time is served (either prison or community service) is debatable.

At this level of disaster it doesn't matter whether the result was incompetence or malfeasance. According to Gray's Law [1] Any sufficiently advanced incompetence is indistinguishable from malice. At some point the Corporation's failure should result in tangible punishment regardless of why.

http://wikidumper.blogspot.com...

Re:Detterant

Equifax executives could wear tracking anklets and spend 60 hours a week changing bedpans in nursing homes for the next 10 years.

Dude, do you want a HIPAA violation. Because that's how you get a HIPAA violation.

And don't even get me started if it's a VA facility they get sent to.

Re:Detterant

Apologist Shangfaggot Bill says white collar crime is fine and fails to notice that totalitarian countries don't bother to count their imprisoned/disappeared... news at 11, as the Trump apologist blathers on.

Re:Detterant

[140Mandak262Jamuna]

Sending people to prison for incompetence is silly. .

Sufficiently advanced incompetence is indistinguishable from malice.

Re:Detterant

At least when they are locked up, they are not pouring money into the Mexican drug cartels' pockets.

Why not? Who are they buying their drugs from in prison?

Re:Detterant

[aquacrayfish]

Sending people to prison for incompetence is silly.

This is what pisses me off most when having technical discussions. Claiming something is hard when you signed up for a job doesn't fly. Let's ignore the fact that Equifax was aware of the security issues before this breach happened. Let's ignore the fact they're repeat offenders with handling data. They handle people's data that controls identity. It's borderline impossible to undo damage and prevent it once this information leaks.

(And why our government is continuing to use them after this breach is... perhaps the dumbest thing I've seen in my life. But that's another story)

When you handle data this sensitive, if you can't handle it and barely even attempt to lift a finger to fix the problem YOU SHOULD BE PUNISHED. Seriously, how bad of a fuck-up needs to happen before you decide someone should be punished? When does it *start* for you?

Re:Detterant

Sweety, the reason they buy from the criminals is because you and yours made it a crime.

Legalise and regulate. Same as alcohol and tobacco. Add a tax that goes to hospitals or medical care for chronic abusers if you want. Spend the money you save on enforcement on support and watch your crime shrink, the cartels implode and the poorest and most vulnerable members of society start to do a bit better.

Or is that last sentence the one that sticks in the craw?

Re:Detterant

Sending people to prison for incompetence is silly.

How about fining them instead? They should be forced to compensate each of the 146 million persons whose social security numbers were leaked. A compensation of $2,000 per person affected for a total of 292 billion dollars sounds like a good place to start. The only way that companies are going to change their ways is by facing the financial death penalty for failure. If they cannot pay, then all data held by Equifax should be seized in remission of the debt and permanently destroyed.

Re:Detterant

The Chinese don't shoot them anymore. When a Chinese national commits a serious crime, they send the mobile execution van around and give them a lethal injection. This is what happened to the billionaire behind the melamine in baby formula scandal. The Chinese executed him in the van like any common criminal. His wealth did not save him. I have to say, there's something oddly satisfying about the Chinese way of dealing with these wealthy criminals who think that they're above the law.

Re:Detterant

[sjames]

Prison may not be the right choice, community service probably fits better.

As to why, THEY decided to spend more on marketing and less on security. They knew they had a problem and THEY decided to keep it covered up as long as possible (and so increased the damage). They choose to continue pretending that adverse credit reports are accurate even knowing that their own sloppy security introduced a great deal of doubt into that.

And finally, THEY have done their damnedest ever since to make sure anyone and everyone but them bears the burden of cleaning up their mess.

Incompetently leaking all that data was just the first in a chain of wrongs. Their actions afterward were fully under their control and the result of conscious decisions.

Perhaps a few years of picking up trash on the weekend would re-adjust their attitude.

Re:Detterant

[ShanghaiBill]

Yeah it'd be much better to do like China, Russia or Iran and just shoot them...

Russia has not used the death penalty in more than 20 years. The last judicial execution was in 1996.

Re:Detterant

[ShanghaiBill]

A compensation of $2,000 per person affected for a total of 292 billion dollars sounds like a good place to start.

Equifax doesn't even have 1% of that amount, and never will.

If they cannot pay, then all data held by Equifax should be seized in remission of the debt and permanently destroyed.

So thousands of employees, who had nothing to do with the breach, would lose their jobs, and the credit reporting industry would switch from a tri-opoloy to a duopoly, making the situation worse for consumers.

Perhaps you should think about this some more.

Re:Detterant

Rich people are not punished. Your "shoulds" don't matter one bit. The world is only as just a place as we make it, and we have not (and will not ever) make it a place where the rich and powerful suffer punishments that fit their crimes.

Your personally identifying information is in the hands of criminals that want to use it to steal money. Adapt accordingly.

Re:Detterant

Equifax doesn't even have 1% of that amount, and never will.

They damaged the lives of millions of Americans by their negligence. They have to answer for that, like Lehman Brothers did with bankruptcy and liquidation.

So thousands of employees, who had nothing to do with the breach, would lose their jobs

They will have to find new jobs. Maybe next time they should think more carefully about who they work for.

and the credit reporting industry would switch from a tri-opoloy to a duopoly, making the situation worse for consumers.

Business as usual is no longer acceptable. We need an American version of the European General Data Protection Regulation and frankly we need less easy access to consumer credit here in the United States and more savings. I never gave Equifax permission to have my data. Why do they have my Social Security Number? That should be illegal . If their business cannot exist without harming me when I don't want anything to do with them then I say that their business is a criminal enterprise.

Re:Detterant

Now they just go around poisoning people unofficially.

Re:Detterant

Vs hellfiring via drones officially?

Re:Detterant

[AlwinBarni]

Yeah it'd be much better to do like China, Russia or Iran and just shoot them...

Russia has not used the death penalty in more than 20 years. The last judicial execution was in 1996.

Of course, and still there was:
- Sergei Magnitsky: Magnitsky had died from being beaten and tortured by several officers of the Russian Ministry of Interior
- Anna Stepanovna Politkovskaya: tried to be poisoned, finally murdered
- Maksim Borodin: died of injuries from falling out of a window
- and many many others, either poisoned abroad or beaten to death, or just plainly murdered

I assume, that by now everyone able to read have read Orwell's books, so people can differentiate between official statistics and reality in totalitarian countries.

Re:Detterant

|A fine of $10,000 for possession of a controlled substance, $3,000 court costs, and 6 months of prison is a good place to start.

But bob doesn't even have $1,000 and never will.

|If he cannot pay impound fees while he is in jail and 'paying' $10,000 , then his family car will be seized and sold at auction.

So, his wife, 8 year old son, and 3 year old daughter, who had nothing to do with the pot, would lose their car, and mom lose her job because of lack of transportation, and with dad not working for a year they will loose their apartment. Then they will go on public assistance, making the situation worse, for the family, the defendant, and taxpayers as a whole.

THIS is exactly how 'justice' works for everyone in this country EXCEPT the rich, the famous, and corporations.

YES!!!!!!!!!!!!!!
EVERYONE at equifax should lose their jobs, and every investor should lose money.
Lots of money.

We EXPECT peoples lives to be ruined if they even touch the justice system.

Why in the hell should a corporation get any less?
The only way that we can expect corporations to follow the law is if personal legal responsibility and corporate death is a possibility.

  I just find it beyond crazy that every time a corp pulls this shit people act like having any consequences for the business is immoral because it would impact innocent people.
Do you not think jailing 'Bob' impacts the innocent?
Jail always impacts innocent people!

 

I don't recall ever giving my permission

[Typingsux]

For Equifax to be in charge of my personal information.

Can anyone elaborate as to why they were put in charge, and what recourse do I have to punish this company for mishandling my information?

Re:I don't recall ever giving my permission

Your recourse is free credit monitoring for 1 year!!

The credit monitoring will be performed by Equifax, the world's leading provider of credit reporting analytics and protection services

Re:I don't recall ever giving my permission

If you don't have anything to hide, then you have nothing to worry about.

Re:I don't recall ever giving my permission

Because you applied for credit sometime in your life. Even the simple act of opening a savings account is all it takes for a credit profile to be created. In the United States, the information is not yours, it belongs to the creditor and the credit reporting companies. You would live off the grid from birth in order not to have a credit file.

Wow, the captcha is "credit".

Re:I don't recall ever giving my permission

I take comfort in numbers. The chances that bad guys will do something nefarious with my info is really slim.

Re:I don't recall ever giving my permission

It's not YOUR information. Its information about you that your bank, your mortgage lender, your insurance company, your car dealership, and anywhere you have a line of credit that was given to equifax to report on to other institutions you want to do business with or wants to market something to you. In addition, Equifax also runs WorkingNumber which is an employment verification service. So if your employer uses them, then Equifax has your employment history and othe info as well. See, you really don't own your information. That's why you don't get paid whenever your info is shared or sold to other companies.

Re:I don't recall ever giving my permission

you have to personally kill the CEO. rule of law has broken down and the system no longer represents us so there's no other way.

Just post every SSN

Why do financial institutions seem to insist that Social Security numvers are a secret code? The government should just publish ALL of the SSNs in a digest. It's not supposed to be secret information, but credit agencies for some reason think it's a secret code, and knowing it means somebody should be able to be granted instant credit at the cash register of a department store.

If it makes it more expensive for credit agencies to do actual background checks before extending credit they can suck air.

If 10% of the population went on record and disclosed their SSNs publicly it would shut down the SSN as a 'secret code.' It's time for it to happen.

Re:Just post every SSN

[ShanghaiBill]

Why do financial institutions seem to insist that Social Security numvers are a secret code? The government should just publish ALL of the SSNs

That is the way it works in many countries: Your citizenship number is public information.

Many have a separate changeable PIN for authentication.

The American system of making the same number both semi-public and secret is unique.

If 10% of the population went on record and disclosed their SSNs publicly it would shut down the SSN as a 'secret code.'

Equifax has already done this as a public service. Good for them.

Re:Just post every SSN

[Sloppy]

If 10% of the population went on record and disclosed their SSNs publicly it would shut down the SSN as a 'secret code.' It's time for it to happen.

It has happened; that's what the story is about. 50-100% Americans already did, whether we wanted to or not.

The information is no longer secret; we know for sure that it is definitely in the hands of ne'er-do-wells. Anyone who uses it for authentication is definitely, 100% being negligent without any possibility that they're trying to do the right thing or even slightly being diligent. If loans have been made based on this, we know that the loaning institution is almost certainly reporting their assets fraudulently.

So.. post yours.

Yeah, me neither. The problem is that even though the info is no longer secret, the government might still be pretending that it is... which makes it be sensitive.. sort of. So it's a government problem at this point.

Maybe November's candidates should be talking about how they intend to deal with it.

Re:Just post every SSN

[Sloppy]

"Unique."

I nominate ShanghaiBill for the Politest Person of the Year award!

Re:Just post every SSN

He is polite alright. I'd have used different term, like: stooopid, or idioootic.

Shut these assholes down.

Equifax should be shut down for gross malfeasance, its charter dissolved, and its executives and board of directors held without bail on criminal charges.

Re:Shut these assholes down.

Equifax should be shut down for gross malfeasance, its charter dissolved, and its executives and board of directors held without bail on criminal charges.

Gather the wood! Build the stakes! Fire up the ovens! Burn them! BUUUURRRRRNN THEMMMM!!!!!

charge them for the privilege

[supernova87a]

I keep saying, the following penalty scheme imposed on companies will clean up data breaches right quick:

$1 per name, email, physical address
$2 per phone number
$3 per credit card number
$4 per SSN

And multiply for combinations thereof. You'll see how fast companies move to secure their data.

Re: charge them for the privilege

How about:

$1 per name, email, physical address
$2 per phone number
$4 per credit card number
$8 per SSN

Re:charge them for the privilege

I keep saying, the following penalty scheme imposed on companies will clean up data breaches right quick:

$1 per name, email, physical address

$2 per phone number

$3 per credit card number

$4 per SSN

And multiply for combinations thereof. You'll see how fast companies move to secure their data.

It would never be enforced. Regulatory capture is the primary issue, not the laws.

Re:charge them for the privilege

I keep saying, the following penalty scheme imposed on companies will clean up data breaches right quick:

This is what happens when you treat corporations like people. The executives responsible for the breach, stock sale, and cover-up must face both criminal and civil charges.

Re:charge them for the privilege

It would never be enforced. Regulatory capture is the primary issue, not the laws.

Do like they do here in California. Draft the law to create a private right of action so that anyone who can prove that a violation occurred can sue and if they prevail are entitled to receive 20% of the judgement.

Re:charge them for the privilege

[AlwinBarni]

I keep saying, the following penalty scheme imposed on companies will clean up data breaches right quick: $1 per name, email, physical address $2 per phone number $3 per credit card number $4 per SSN And multiply for combinations thereof. You'll see how fast companies move to secure their data.

No, it will not work as long as people responsible are not held accountable.

Most of the cases I know the CEO making decisions retires with multi-million golden parachute and all the penalty costs (if any) are passed on consumers or victims (as is the case of Equifax - people have to pay for locking their accounts, and one pays as long as one wants the lock be active) or ordinary workers.

Top management don't give a damn about penalties, because they make up the rules of profits distribution and by the time anything is out in public, their pockets are usually full or/and their moved to another place if the screw-up was really big. Do you remember the shares selloff by Intel and Equifax executives?

The IRS has news for you...

[The+Fat+Bastard]

I got a letter from the IRS that my SSN is being used by someone else to obtain employment. Again. Thanks, Equifax!

Re:The IRS has news for you...

I got a letter from the IRS that my SSN is being used by someone else to obtain employment. Again. Thanks, Equifax!

Sometimes people just make up SSNs if the employer is small enough to avoid e-verify... You could simply be unlucky...

Re:The IRS has news for you...

Well you're not using it, so...

Re:The IRS has news for you...

Somebody is buying him food.

Re:The IRS has news for you...

Using it for employment isn't a problem. The most that could do is bump up your Social Security payments a little.
It's using it to open credit accounts that's a problem.

There will be justice

After we collect a few heads.

Percentage Perspective

[psnyder]

That's the names, dates of birth, and tax ID numbers of roughly 45% of the entire United States (population ~326 million). Subtract children who don't have credit yet (~74 million), that's roughly 58% of US adults.

If "payment card" means credit card, that's 20% of all them in the US (1,041 million). Often you only need the number and expiration date to charge something to the card.

Those addresses are for roughly 30% of the population (if an address was attached to one name), or more (if an address was attached to multiple names [ie: people living together]).

Data used in mass Walmart.com CC applications

[freak0fnature]

While you won't find this info out there as it's been pretty hushed, but walmart.com took down their CC application site for over a week after a load of stolen IDs were used to apply for CC's there. There is some indication that the data came from this breach.

The worst part

[sjames]

Their primary business is making sure adverse credit information follows people around, while making the assumption that the adverse reports are actually about the named person. Even while they know damned well that their own negligence has enabled ID fraud on a massive scale.

The most significant number: 0 zero zilch nada ni

[140Mandak262Jamuna]

The number of top executives who went to jail : 0

why the fuck do they have passport info?!

how is this legal? who do we have to execute to fix this shit? the credit agency business shouldn't even be legal in the first place. lenders should have to make their own judgement.

Re:The most significant number: 0 zero zilch nada

Number of those responsible for the breach raped in jail : 0

Re:Deterent

[thomst]

ShanghaiBill opined:

Non-violent offenders do not belong in prison.

Prompting a courageous Anonymous Coward to respond:

Is that a reference to the poor persecuted drug users? At least when they are locked up, they are not pouring money into the Mexican drug cartels' pockets.

You really, really need to read Pulitzer Prize-winning journalist Sam Quinones' book Dreamland: The True Story of America's Opioid Epidemic. It's essentially the story of how Perdue Pharmaceuticals created the opioid epidemic in the USA by misrepresenting to the FDA, Congress, and doctors across the country how "harmless" prescribing powerful opiod narcotics was, even for chronic pain.

Based strictly on Perdue's bullshit, doctors - especially high school and college sports medicine doctors - prescribed amounts of Perdue's high-purity hydocodone medication high enough to guarantee addiction in athletes, housewives, and victims of trauma (auto accidents, falls, etc.) over long periods of time. When schools and insurance companies cut them off from those pharmaceutical sources, they turned in droves to Mexican brown heroin - which a whole new coop-style drug cartel operating out of the region around Xalisco supplied, using a fleet of drivers and a central dispatcher in each city they expanded into to bring the heroin to their customers with virtually zero risk of being caught making a deal.

Those drug addicts whose lives you so casually dismiss were almost all created by Perdue's lies, and multi-billion-dollar, direct-to-physicians marketing campaign. They're junkies, yes. But most of them are victims of deliberate pharmaceutical industry malfeasance, not deliberate actors.

Full disclosure: I have no affiliation with Sam Quinones, nor do I have any affiliate relationship with Amazon. If you buy his book via the above link, I get exactly zero dollars - or any other consideration - from the sale. (And you can get it from any other major bookseller, if you prefer not to make Jeff Bezos any richer, btw.) I simply believe it's essential reading for anyone who's interested in how the hell this country found itself in this mess to begin with, and who's responsible for getting us here ...

Tell loan companies, "No data to Equifax"

When I apply for a credit card, I want to be able to tell the credit card company, "You may send information about to me to any credit reporting agency except Equifax. You may not send information about me to Equifax."

That would help protect me from my data getting stolen from Equifax servers.

Also: If we could do that, and if enough people did it, then Equifax would have much less data about people to sell, which would hurt their business. Then they'd either straighten out, or go out of business. And their going out of business would be a warning to other credit reporting agencies to keep their data secure.

Maybe a law can be passed, which would let people restrict which credit reporting agencies get their data.

I don't worry about this

I don't worry about this because I run APK's hosts file engine. It is the ultimate security application or so he tells me. It does more than any other solution available. He even has small snippets of text that lack context from registered slashdot users to prove it.