Equifax Data Breach: Total data lost, the final count
An SEC filing made this week outlines the total extent of what was lost in the breach
Suffice it to say at this point everyone is sick and tired of talking about the Equifax data breach. I’m certainly tired of writing about it. But in keeping you up to date on what is, for all intents and purposes, still an extremely important cyber event, we just wanted to pass along some information that was included in an SEC filing Equifax made this week. We now know the full extent of the data that was stolen from Equifax during the breach it originally reported on September 7, 2017.
Equifax has now had an opportunity to perform a complete autopsy on the data breach, and while some of the information provided feels a little more like PR/Marketing than actionable intelligence, we do now have an idea as to the extent of the breach and what, beyond vague catch-alls like “identities,” was stolen.
Total data stolen and number of US consumers impacted in the Equifax Data Breach
Data Element Stolen | Standardized Columns Analyzed | Impacted U.S. Consumers |
||
Name | First Name, Last Name, Middle Name, Suffix, Full Name | 146.6 million | ||
Date of Birth | D.O.B. | 146.6 million | ||
Social Security Number | SSN | 145.5 million | ||
Address Information | Address, Address2, City, State, Zip | 99 million | ||
Gender | Gender | 27.3 million | ||
Phone Number | Phone, Phone2 | 20.3 million | ||
Driver’s License Number | DL# | 17.6 million | ||
Email Address (w/o credentials) | Email Address | 1.8 million | ||
Payment Card Number and Expiration Date | CC Number, Exp Date | 209,000 | ||
TaxID | TaxID | 97,500 | ||
Driver’s License State | DL License State | 27,000 |
Equifax provided the following insight on how this information was compiled:
The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled. For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as “FIRSTNAME,” another may have used “USER_FIRST_NAME,” and a third may have used “FIRST_NM.” With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax’s notification obligations.
Additionally, after getting pushed by the US Congress, Equifax examined the number of images that were stolen from impacted consumers and arrived at these numbers:
Government-Issued Identification | Approx. # of Images Uploaded | |||
Driver’s License | 38,000 | |||
Social Security or Taxpayer ID Card | 12,000 | |||
Passport or Passport Card | 3,200 | |||
Other | 3,000 |
This release doesn’t contain any information on consumers in the UK and Canada, some of whom were also impacted.
How much is all this stolen data worth?
We actually ran a fairly massive article about cybercrime in 2018 on Monday. I really recommend you take a look, it’s full of stats and tables and infographics. But as was reported there, personal data varies wildly in value depending on how complete it is. A name or an address, even a social security number can go for as little as $3 by itself. However, if you can gather enough data to construct an identity and open a credit card or a bank account with it, you can make quite a bit more.
That’s what makes the Equifax data breach so substantial, the information stolen can be used to create personas and commit legitimate acts of fraud. As we’ve said all along, if you think you were affected you need to be especially vigilant because there’s a considerable degree of risk depending on what was exposed. I wish I had a happier thought to end on, but c’est la vie.
Related: Get Caught up on Equifax Data Breach
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown