Six months after a massive data breach at credit reporting company Equifax, Inc. handed hackers the personal information of nearly 150 million Americans, the fallout continues. Equifax first disclosed in September that hackers used a flaw in its website software to extract the personal information of as many as 145.5 million people. The stolen data included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. In just the first two months following the breach, Equifax incurred $87.5 million of expenses, and that number is now expected to grow to $439 million by the end of 2018, making this, potentially, the most expensive reported data breach to date.
The company is subject to information requests or investigations by all 50 state attorneys general, the U.S. Department of Justice, the U.S. Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, as well as international regulators. And as we reported here and here, the New York Department of Financial Services (DFS) and Secretary of State are investigating as well. The company is also subject to more than 350 class action law suits arising from the data breach, which are currently pending in Georgia, where Equifax is headquartered.
And the news keeps getting worse. On Thursday, Equifax said that more U.S. consumers were affected than originally disclosed. The company identified about 2.4 million additional U.S. consumers whose names and partial driver’s license information were stolen, and revealed that the consumers affected “were not in the previously identified” population of cyberattack victims. That brings the total number of U.S. consumers whose personal information was compromised by the breach to 147.9 million. This is the second time that Equifax has revised that number based on “continuing analysis.”
The latest disclosure could not come at a worse time for Equifax. Just last month, an industry study reported that 16.7 million U.S. consumers had their identities compromised in 2017, resulting in $16.8 billion in losses. That number of affected people was up 8% from 2016 and, according to the consulting firm that conducted the study, was the highest since 2003. According to the same study, the Equifax breach, nearly unprecedented it is size, increased overall fraud figures for 2017. At the same time, regulators continue to scrutinize and take action against companies that have been subject to cyberattacks, as evidenced by Pennsylvania’s recent suit against Uber—the third by a state attorney general—for its long-undisclosed data breach.
The company is also facing the ire of Congress. Following Equifax’s latest disclosure, members of the Senate and House Commerce Committee said they want even more information from Equifax and its cybersecurity contractor, Mandiant Corp. The request expands a congressional probe of Equifax’s handling of the breach and its cybersecurity systems. Some lawmakers have not stopped there. Senator Elizabeth Warren, one of the most vocal members of Congress on this breach, says that Equifax has not told the whole story when it comes to the breach. Since the breach was first reported, her office issued an investigatory report, entitled “Bad Credit: Uncovering Equifax’s failure to protect Americans’ personal information,” and Senator Warren now accuses the company of intentionally profiting from its own data breach. Warren, with Senator Mark Warner, also introduced legislation in January that would impose stiff financial penalties and strict liability on credit reporting companies for data breaches.