An SEC filing made this week outlines the total extent of what was lost in the breach
Suffice it to say at this point everyone is sick and tired of talking about the Equifax data breach. I’m certainly tired of writing about it. But in keeping you up to date on what is, for all intents and purposes, still an extremely important cyber event, we just wanted to pass along some information that was included in an SEC filing Equifax made this week. We now know the full extent of the data that was stolen from Equifax during the breach it originally reported on September 7, 2017.
Equifax has now had an opportunity to perform a complete autopsy on the data breach, and while some of the information provided feels a little more like PR/Marketing than actionable intelligence, we do now have an idea as to the extent of the breach and what, beyond vague catch-alls like “identities,” was stolen.
Total data stolen and number of US consumers impacted in the Equifax Data Breach
|Data Element Stolen||Standardized Columns Analyzed||Impacted U.S.
|Name||First Name, Last Name, Middle Name, Suffix, Full Name||146.6 million|
|Date of Birth||D.O.B.||146.6 million|
|Social Security Number||SSN||145.5 million|
|Address Information||Address, Address2, City, State, Zip||99 million|
|Phone Number||Phone, Phone2||20.3 million|
|Driver’s License Number||DL#||17.6 million|
|Email Address (w/o credentials)||Email Address||1.8 million|
|Payment Card Number and Expiration Date||CC Number, Exp Date||209,000|
|Driver’s License State||DL License State||27,000|
Equifax provided the following insight on how this information was compiled:
The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled. For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as “FIRSTNAME,” another may have used “USER_FIRST_NAME,” and a third may have used “FIRST_NM.” With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax’s notification obligations.
Additionally, after getting pushed by the US Congress, Equifax examined the number of images that were stolen from impacted consumers and arrived at these numbers:
|Government-Issued Identification||Approx. # of Images Uploaded|
|Social Security or Taxpayer ID Card||12,000|
|Passport or Passport Card||3,200|
This release doesn’t contain any information on consumers in the UK and Canada, some of whom were also impacted.
How much is all this stolen data worth?
We actually ran a fairly massive article about cybercrime in 2018 on Monday. I really recommend you take a look, it’s full of stats and tables and infographics. But as was reported there, personal data varies wildly in value depending on how complete it is. A name or an address, even a social security number can go for as little as $3 by itself. However, if you can gather enough data to construct an identity and open a credit card or a bank account with it, you can make quite a bit more.
That’s what makes the Equifax data breach so substantial, the information stolen can be used to create personas and commit legitimate acts of fraud. As we’ve said all along, if you think you were affected you need to be especially vigilant because there’s a considerable degree of risk depending on what was exposed. I wish I had a happier thought to end on, but c’est la vie.
Related: Get Caught up on Equifax Data Breach