Equifax Data Breach: Total data lost, the final count
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Equifax Data Breach: Total data lost, the final count

An SEC filing made this week outlines the total extent of what was lost in the breach

Suffice it to say at this point everyone is sick and tired of talking about the Equifax data breach. I’m certainly tired of writing about it. But in keeping you up to date on what is, for all intents and purposes, still an extremely important cyber event, we just wanted to pass along some information that was included in an SEC filing Equifax made this week. We now know the full extent of the data that was stolen from Equifax during the breach it originally reported on September 7, 2017.

Equifax has now had an opportunity to perform a complete autopsy on the data breach, and while some of the information provided feels a little more like PR/Marketing than actionable intelligence, we do now have an idea as to the extent of the breach and what, beyond vague catch-alls like “identities,” was stolen.

Total data stolen and number of US consumers impacted in the Equifax Data Breach

Data Element Stolen Standardized Columns Analyzed Impacted U.S.
Name First Name, Last Name, Middle Name, Suffix, Full Name 146.6 million
Date of Birth D.O.B. 146.6 million
Social Security Number SSN 145.5 million
Address Information Address, Address2, City, State, Zip 99 million
Gender Gender 27.3 million
Phone Number Phone, Phone2 20.3 million
Driver’s License Number DL# 17.6 million
Email Address (w/o credentials) Email Address 1.8 million
Payment Card Number and Expiration Date CC Number, Exp Date 209,000
TaxID TaxID 97,500
Driver’s License State DL License State 27,000

Equifax provided the following insight on how this information was compiled:

The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled. For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as “FIRSTNAME,” another may have used “USER_FIRST_NAME,” and a third may have used “FIRST_NM.” With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax’s notification obligations.

Additionally, after getting pushed by the US Congress, Equifax examined the number of images that were stolen from impacted consumers and arrived at these numbers:

Government-Issued Identification Approx. # of Images Uploaded
Driver’s License 38,000
Social Security or Taxpayer ID Card 12,000
Passport or Passport Card 3,200
Other 3,000

This release doesn’t contain any information on consumers in the UK and Canada, some of whom were also impacted.

How much is all this stolen data worth?

We actually ran a fairly massive article about cybercrime in 2018 on Monday. I really recommend you take a look, it’s full of stats and tables and infographics. But as was reported there, personal data varies wildly in value depending on how complete it is. A name or an address, even a social security number can go for as little as $3 by itself. However, if you can gather enough data to construct an identity and open a credit card or a bank account with it, you can make quite a bit more.

That’s what makes the Equifax data breach so substantial, the information stolen can be used to create personas and commit legitimate acts of fraud. As we’ve said all along, if you think you were affected you need to be especially vigilant because there’s a considerable degree of risk depending on what was exposed. I wish I had a happier thought to end on, but c’est la vie.

Related: Get Caught up on Equifax Data Breach


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.