Equifax revealed to a US Senate committee in a document that even more personal data than had been originally reported may have been exposed during the massive data breach the credit monitoring company experienced last year.
The Wall Street Journal newspaper is reporting that it reviewed a document sent to the US Senate Banking Committee by the company that said in addition to the Social Security numbers, birth dates, addresses and driver's licence numbers that were initially reported exposed - passport numbers, first, last, and middle names and suffixes, gender, phone numbers, credit card numbers with expiration date and “CV2” security numbers, email addresses and tax ID numbers may also have been exposed.
Equifax told the NY Post that even though passport numbers are listed as being involved it does not believe any were were actually taken or exposed.
About 145.5 million people were affected by the Equifax breach which was officially reported in September 2017, but the company knew there was a problem as early as 30 July. Between that date and revealing the news to the public Equifax hired the law firm of King & Spalding to handle the cyber-investigation and provide legal advice. In addition, the company contacted the FBI. By 11 August it was known that customer personal information was accessed, followed by the revelation on 15 August that the information was not only accessed but stolen.
Former Equifax CEO and Chairman Richard Smith told the House Energy and Commerce Committee Subcommittee on Digital Commerce and Consumer Protection last fall that the breach was caused by the company failing to realise it was susceptible to the Apache Struts vulnerability. This despite being warned and searching and failing to find the problem in its system.
In Smith's prepared remarks he said US CERT notified Equifax of the problem on 8 March and the following day the news was given to the security team. As per company policy these workers had 48 hours to search for and then patch any problems.
“Apache Struts within Equifax was not identified or patched in response to the internal 9 March notification to information technology personnel,” Smith said.
Additional scans were run on 15 March again searching for the Apache Struts vulnerability, but came up empty.