In a reversal of its previous denials, Equifax last week admitted that passports were involved in the data breach that exposed the data of millions of its customers. The credit reporting agency last September revealed that a data breach had left the personal information of about half of the American population exposed. In February, the company insisted that all that stolen data didn’t include passport numbers.
Except it did. The company in a recent regulatory filing slipped in the detail that more than 56,000 documents had been compromised in the breach, including passports.
In February, Equinox had denied the findings of a report released by Sen. Elizabeth Warren (D-MA) that the 2017 data breach included the passport numbers of some Equifax customers. “Passport numbers were an element we examined while conducting the forensic investigation [of the breach], but we found no evidence that any passport numbers were stolen,” an Equifax spokesperson said in an email to me at the time.
But on Friday, Equifax admitted that there were, in fact, passports involved. In a regulatory filing with the Securities and Exchange Commission, the company said it had analyzed documents uploaded to its dispute portal (the portal people can go to if, say, their name is spelled wrong on a credit report or their address is incorrect) and through a manual review process found that information from 38,000 driver’s licenses, 12,000 Social Security or taxpayer ID cards, and 3,200 passports had been compromised, as well as information from 3,000 other government-issued IDs.
“A months-long investigation by my office revealed that Equifax had failed to fully disclose the scope of compromised information,” Warren said in an emailed statement in response to Equifax’s recent revelation. “After first denying the exposure of passport numbers, Equifax is finally coming clean. It’s unacceptable that the company has taken months to tell the whole truth after this massive breach.”
Equifax is really slow-rolling the full truth
Equifax has taken a drip-drip-drip approach to the data breach since it came clean about it, at least partially, in September of last year. Equifax initially said 143 million customers’ data had been compromised but has since revised that number up twice to about 148 million. After it announced the data breach, Equifax offered affected customers free credit monitoring and identity protection services — as long as they agreed to a forced arbitration clause that barred them from joining forces with other wronged customers to sue the company. After a backlash, the company dropped the clause.
Equifax found out about the breach in July 2017 but waited six weeks before announcing it publicly. In the meantime, three of its executives sold around $2 million worth of their shares in the company.
The same spokesperson who in February told me there was “no evidence” that passport numbers had been compromised said in an email that that earlier response was related to the “data elements contained in the database tables accessed by the attackers.” She said the analysis “conducted on the data elements stolen from those tables found that there were no passport numbers within the passport field accessed by the attacker.”
As for the passports that people were uploading and sending to Equifax that, obviously, contained their passport numbers (and other information), the company says it didn’t know that the images were there because it hadn’t checked them manually, but consumers should have known they had uploaded their documents.
“Equifax disclosed in its initial press release in September of 2017 that there were certain images of dispute documents stolen that contained personally identifiable information,” the spokesperson said. She later continued, “Equifax individually notified those consumers who had dispute documents stolen by direct mail after the initial media announcement in September and completed those notifications in December. The notifications included a list of files they had uploaded to the dispute portal and the date of those uploads.”
She would not speak on the record about why Equifax had not been forthcoming about passports specifically when asked about it in February beyond her initial response.
Equifax’s lawyers on Friday sent a letter to Senate Banking Committee Chair Mike Crapo (R-ID) outlining the company’s “statement for the record” on the data breach, which also included the 3,200 passports and, presumably, passport numbers it had earlier denied were part of the breach. The company explained that because it had already directly notified consumers impacted by the breach that it had happened, it didn’t analyze the government-issued IDs, including passports, in its data portal. It conducted a manual review of the documents at Congress’s request. “The data described … is not additional stolen data, and it does not impact additional consumers,” the letter reads.
Of course, if you’re among the 3,200 consumers whose passport information was compromised, Equifax’s past denials and claims now that, essentially, you should have figured out the problem on your own aren’t entirely reassuring, especially when it claims it didn’t know passports were involved too. Without Congress’s push, Equifax says it wouldn’t have checked manually to see if passports were there in the first place.
Equifax is facing a number of potential legal consequences for the data breach. More than 240 class-action suits have already been filed against the company, and it is cooperating with multiple investigations and probes, including by all 50 state attorneys general, the Federal Trade Commission, the SEC, the Financial Industry Regulatory Authority, the Consumer Financial Protection Bureau, and various congressional committees, among others. Thus far, the outcomes remain unclear.