The news just keeps getting worse for Equifax. The company has already had to revise their estimates of how many people were impacted by last year's breach more than once, and now, they're having to revise their estimate yet again. This latest revision comes after company officials had to testify before Congress, which has been formally investigating the matter.
Prior to the release of Equifax's latest "statement of record," here's a snapshot of how bad the data breach was:
- 5 million consumers had their Social Security numbers compromised
- 99 million consumers had address information exposed
- 3 million consumers had gender information exposed
- 3 million consumers had their phone numbers exposed
- 209,000 consumers had their credit card numbers exposed
- 97,500 consumers had their Tax Identification numbers exposed
Now, in addition to all of that, the company is adding the following:
- 6 million consumers had their driver's license numbers exposed
- 12,000 had their Social Security and Taxpayer ID cards exposed
- 3200 consumers had their passports exposed
- An additional 3000 had other documents, such as military and state ID's compromised
As bad as it looks that the company has to keep revising their estimates upward, there's a logical reason for it. The data that was stolen didn't come from a single database. On top of that, the databases themselves all had highly variable structures, which has made it exceedingly difficult for forensic analysts to accurately assess the extent of the damage. All that to say, since the process is still ongoing, we may see yet another upward revision of the scope and scale of the breach.
Of course, the company is doing what most companies do in cases like these: They're offering a year's worth of free credit monitoring to impacted customers. The ironic part of their offer though, is the fact that Equifax is offering their own credit monitoring service free for a year, which converts to a paid monitoring service after the year is up. As Congressional officials rightly pointed out, this means that the company is essentially profiting off of its own breach, which is disturbing to say the least.