Equifax Data Breach: Total data lost, the final count
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Equifax Data Breach: Total data lost, the final count

An SEC filing made this week outlines the total extent of what was lost in the breach

Suffice it to say at this point everyone is sick and tired of talking about the Equifax data breach. I’m certainly tired of writing about it. But in keeping you up to date on what is, for all intents and purposes, still an extremely important cyber event, we just wanted to pass along some information that was included in an SEC filing Equifax made this week. We now know the full extent of the data that was stolen from Equifax during the breach it originally reported on September 7, 2017.

Equifax has now had an opportunity to perform a complete autopsy on the data breach, and while some of the information provided feels a little more like PR/Marketing than actionable intelligence, we do now have an idea as to the extent of the breach and what, beyond vague catch-alls like “identities,” was stolen.

Total data stolen and number of US consumers impacted in the Equifax Data Breach

Data Element Stolen Standardized Columns Analyzed Impacted U.S.
Consumers
Name First Name, Last Name, Middle Name, Suffix, Full Name 146.6 million
Date of Birth D.O.B. 146.6 million
Social Security Number SSN 145.5 million
Address Information Address, Address2, City, State, Zip 99 million
Gender Gender 27.3 million
Phone Number Phone, Phone2 20.3 million
Driver’s License Number DL# 17.6 million
Email Address (w/o credentials) Email Address 1.8 million
Payment Card Number and Expiration Date CC Number, Exp Date 209,000
TaxID TaxID 97,500
Driver’s License State DL License State 27,000

Equifax provided the following insight on how this information was compiled:

The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled. For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as “FIRSTNAME,” another may have used “USER_FIRST_NAME,” and a third may have used “FIRST_NM.” With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax’s notification obligations.

Additionally, after getting pushed by the US Congress, Equifax examined the number of images that were stolen from impacted consumers and arrived at these numbers:

Government-Issued Identification Approx. # of Images Uploaded
Driver’s License 38,000
Social Security or Taxpayer ID Card 12,000
Passport or Passport Card 3,200
Other 3,000

This release doesn’t contain any information on consumers in the UK and Canada, some of whom were also impacted.

How much is all this stolen data worth?

We actually ran a fairly massive article about cybercrime in 2018 on Monday. I really recommend you take a look, it’s full of stats and tables and infographics. But as was reported there, personal data varies wildly in value depending on how complete it is. A name or an address, even a social security number can go for as little as $3 by itself. However, if you can gather enough data to construct an identity and open a credit card or a bank account with it, you can make quite a bit more.

That’s what makes the Equifax data breach so substantial, the information stolen can be used to create personas and commit legitimate acts of fraud. As we’ve said all along, if you think you were affected you need to be especially vigilant because there’s a considerable degree of risk depending on what was exposed. I wish I had a happier thought to end on, but c’est la vie.

Related: Get Caught up on Equifax Data Breach

Email Security Best Practices - 2019 Edition

Don’t Get Breached

91% of cyber attacks start with an email. 60% of SMBs are out of business within six months of a data breach. Not securing your email is like leaving the front door open for hackers.

1 comment
  • It’s interesting to me that Equifax has actually managed to train several, highly skilled, monkeys to make these SQL DBs. I bet that training those monkeys was more expensive than hiring somebody like me who understands the importance of sensitive data whilst also knowing the difference between plaintext and encryption. It really is a shame they couldn’t teach those monkeys industry standard AES-256… but at the very least they could have applied the encryption to the databases after the monkeys had finished typing 🙂

    This is just a fail of massive proportions… reminds me of a guy who checks to see if a gun is loaded by looking down the barrel while his finger is on the trigger. Must have been some drunk monkeys. :/

    Or maybe… maybe they weren’t so incredibly stupid as to store this data plaintext on an insecure public facing server. Maybe it was an inside job and they’re trying to cover their asses by claiming it was the one armed hacker! I don’t have another plausible explanation for such stupidity.

    For the non-technical people… this is analogous to putting a large amount of cash money in your driveway just behind an unlocked metal chain fence, open for the world to see plain as day. Do you think it’ll get stolen? Maybe banks should start storing their cash out on the open desks when you walk in the bank.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.