LEAKED: Worst Data Hack in US History Gets Worse
LEAKED: Worst Data Hack in US History Gets Worse by Wolf Richter – Wolf Street
What else has Equifax not disclosed yet?
The Equifax hack just keeps getting worse. The first revelations were made on September 7, that Equifax had discovered on July 29 that it had been hacked sometime between “mid-May through July,” and that the crown jewels of consumer data, including Social Security numbers, on 143 million US consumers was stolen. The tally has since been raised to 145.5 million consumers. In terms of quantity and sensitivity, it was the worst consumer data hack in US history.
“In some instances” driver’s license data were also stolen, the company disclosed at the time. Driver’s license data includes license number, name, address, data of birth, and basic physical features of the person. This is important and valuable data for identity thieves and other fraudsters and fills in some gaps in the other data that had been stolen.
But without telling consumers, Equifax went around and told its customers – mainly banks and credit card companies – that the tally of driver’s license data that had also been stolen, previously minimized with the phrase “in some instances,” amounted to driver’s licences of 10.9 million consumers.
This wasn’t an announcement disclosed by the company in a vapid and robotically apologetic press release, but was leaked by “people familiar with the matter,” and reported today by the Wall Street Journal.
The fact that consumers whose DL data had been stolen and who’d become more vulnerable to some fraud didn’t need to be informed about it fortifies the simple fact that, for Equifax, consumers are just the lowly product – and dealing with that product is just an expense.
How did Equifax even get this driver’s license data in the first place?
In many cases, Equifax asked consumers for their driver’s license number when they contacted the company, claiming it was needed to verify their identity. In other cases, Equifax asked for the DL number at its website set up to resolve credit-report discrepancies. The Wall Street Journal:
The dispute-resolution page appears to have been at least one avenue hackers used to access the company’s systems. This was done by hackers exploiting a security vulnerability in software that ran on the dispute portal’s web application.