Equifax, the credit bureau regrouping after hackers compromised personal data for nearly half the U.S. population, says closer study shows passport numbers were among the information taken.
The finding doesn’t change the total number of people affected, which the Atlanta-based company now says was nearly 147 million.
While Equifax’s initial assessment of the attack uncovered the exposure of personal identification data from birthdates to Social Security and driver’s license numbers, a more detailed review of the web portal consumers used to dispute mistakes on their credit histories showed that hackers had gained access to some of the government documents that users provided to verify their identities, the company said in a regulatory filing this week.
About 3,200 passports were compromised through the portal, which Equifax said it reviewed after congressional inquiries, along with 12,000 Social Security cards and 38,000 driver’s licenses.
“A months-long investigation by my office revealed that Equifax had failed to fully disclose the scope of compromised information,” Sen. Elizabeth Warren, a Massachusetts Democrat who serves on the chamber’s Banking Committee, said in a statement. “After first denying the exposure of passport numbers, Equifax is finally coming clean. It’s unacceptable that the company has taken months to tell the whole truth after this massive breach.”
The consumer credit-reporting firm, which competes with Experian and TransUnion to provide credit histories lenders rely on in evaluating loan applications, has lost 18 percent of its market value since disclosing the theft in September 2017.
Former Chief Executive Officer Richard Smith, who subsequently stepped down, still represented the company in harsh Congressional hearings where he was berated for failing to better protect what lawmakers characterized as a “digital Fort Knox,” a reference to the U.S. gold depository in Kentucky.
Members of Congress also debated whether consumers or credit bureaus own the data that such firms collect, a question revisited when Facebook revealed that a consultant on President Trump’s 2016 campaign had improperly accessed information on some 87 million of its users.
How lawmakers answer that question could transform an industry that tracks consumers’ payment histories without their consent, pays them nothing for the data and turns a profit from selling it to lenders.
“There is an avenue for action on this front as the Equifax data breach provides political cover for Congress to advance changes that otherwise would never see the light of day,” Jaret Seiberg, a Cowen Washington Research Group analyst, said in a report last month gauging the likelihood that Congress might impose sharp restrictions.
“The market is under appreciating just how frustrated Democrats and Republicans are over big data, which means they could turn to radical ideas for credit bureau reform,” he said.
Already, a banking-regulation bill passed by the Senate earlier this year gives consumers an unlimited ability to freeze and unfreeze their credit reports and excludes some medical debt for veterans.
Beyond that, there’s a 70 percent chance of follow-up legislation in the next few years that might expand consumer control over credit reports, mandating free monitoring of credit scores and requiring consumers’ approval before their histories are shared for marketing purposes as well as stiffer fines if a credit bureau is hacked, Seiberg said.
Longer-term, three main avenues exist for revising the Fair Credit Reporting Act of 1970 to address data-privacy concerns, Seiberg says.
One, reflected in some bills already, is simply allowing consumers more latitude to dictate how their credit histories are used.
Another is requiring bureaus to purge data sooner than the existing seven-year limit, and the third is empowering individuals to remove all performance data from the credit bureau’s record.
