Ever since Equifax lost control of millions of Social Security numbers, driver's license numbers, names, dates of birth and other sensitive personal information in a massive data breach last year, the credit-reporting agency has gradually upped its estimates of the number of people affected. First it was 143 million consumers, then it was 145 million and finally 147 million.
But now, in a filing to the Securities and Exchange Commission on Monday, May 7, the company is offering its most detailed analysis to date - disclosing not only how many consumers it believes were hit but also the breakdown of which types of information were most likely to have been lost. Although the report does not identify new or additional victims, it marks the first time Equifax has provided such granular detail about the scope of the compromised data.
Names, dates of birth and Social Security numbers were by far the most common type of data stolen by the attackers, Equifax said. Mailing addresses, phone numbers and just under 2 million email addresses followed close behind. Roughly 209,000 credit card numbers and card-expiration dates were taken.
Beyond the information that was stored in those databases, Equifax said the hackers accessed thousands of images of official documents - such as government-issued IDs - that consumers had uploaded to the company to prove their identity. Photos of as many as 38,000 driver's licenses and 12,000 Social Security or taxpayer ID cards were accessed, according to the SEC filing. More than 3,000 passports were also accessed, the company said.
The numbers do not cover the thousands of Canadians and Britons who were affected by the breach.
The report captures the collective damage dealt to consumers in the United States. And it suggests that many victims may have had multiple types of information stolen.
Story by Brian Fung. Fung covers business and technology for The Washington Post. Before joining The Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.