The Atlanta-based credit reporting agency Equifax said additional consumer information was breached in a report to the U.S. Senate Banking Committee. Last year, a cyberattack exposed personal information of more than 145.5 million people and at the time, Equifax did not list out all of the data that was breached.
According to the document, the additional information that was exposed includes tax identification numbers, email addresses and phone numbers, expiration dates for credit cards and states where driver’s licenses were issued.
In a letter to Equifax, U.S. Senator Elizabeth Warren criticized the company for “vague and misleading statements.”
“While Equifax confirmed the release of this additional data this morning, the company continues to disassemble and downplay the significance, refusing to provide any information on the number of taxpayer identification numbers or email addresses that were hacked, and claiming that email addresses ‘aren’t considered sensitive personal information.’” Warren wrote.
Equifax spokeswoman Meredith Griffanti said the additional data is considered “subsets” of data they already disclosed had been breached.
“Back in September when we first announced the details of the cyber security incident, we did put in our press release that the information accessed primarily – and that’s the key word primarily – included names, social security numbers, birthdates, addresses, driver’s license numbers and in some instances credit card numbers and certain dispute documents with personal identifying information,” Griffanti said. “The reason that we did that the way we did is because that is the information that that was accessed that impacted the greatest number of consumers. Yes, there were some additional data points that were accessed, but those additional data points impacted a very, very minimal amount of consumers.”
Griffante said she did not the exact number of consumers impacted who had additional information breached. She said the number of people impacted – 145.5 million – has not changed.
Direct Mail Notices
“So if you are a consumer whose credit card number was impacted, we sent direct mail notices to those consumers as we said we would,” Griffanti said. “The additional details like your expiration date on your credit card. Sure we didn’t put those into the press release. If we included all the details it would have been a very jumbled press release. But regardless we did let those consumers know via direct mail.”
On Jan. 31, the company launched its free lifetime credit locks service and extended free credit freezes through the end of June.
“You know I think it’s important to realize that you know we have apologized for the situation and we have continued to apologize for the situation,” Griffanti said. “And we’re really focusing on two main priorities now and that’s rebuilding trust with consumers and strengthening security. And those are you know really at the forefront of everything we’re doing right now.”
Griffante said the company does know now that passport numbers and CVV codes on credit cards were not accessed by hackers.