Equifax in a fresh revelation said that hackers have stolen 2.4 million U.S. consumers’ names and partial driving license information during the cyber incident last year.
Earlier, Equifax’s IT team and CIO could not identify affected population when it made some disclosures about the incident.
The IT team leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyber-attack during the company’s forensic examination of last year’s cybersecurity incident.
Equifax said this was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Equifax’s IT department could not identify these consumers because their SSNs were not stolen together with their partial driver’s license information.
Equifax identified these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., interim chief executive officer of Equifax. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
Equifax will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them.
Equifax launched Lock & Alert to all U.S. consumers on January 31. This new service, which is free for life, enables consumers to quickly lock and unlock their Equifax credit report using a computer or app downloaded on their mobile device.
The company’s forensics experts did not find evidence that Equifax’s core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyber-attack.