Hackers In Equifax Breach Accessed More Personal Information Than Previously Disclosed

An anonymous reader quotes a report from The Wall Street Journal (Warning: source may be paywalled; alternative source): Equifax said, in a document submitted to the Senate Banking Committee and reviewed by The Wall Street Journal, that cyberthieves accessed records across numerous tables in its systems that included such data as tax identification numbers, email addresses and drivers' license information beyond the license numbers it originally disclosed. The revelations come some five months after Equifax announced it had been breached and personal information belonging to 145.5 million consumers had been compromised, including names, Social Security numbers, dates of birth and addresses. It's unclear how many of the 145.5 million people are affected by the additional data including tax ID numbers, which are often assigned to people who don't have Social Security numbers. Hackers also accessed email addresses for some consumers, according to the document and an Equifax spokeswoman, who said "an insignificant number" of email addresses were affected. She added that email addresses aren't considered sensitive personal information because they are commonly searchable in public domains.

As for tax ID numbers, the Equifax spokeswoman said they "were generally housed in the same field" as Social Security numbers. She added that individuals without a Social Security number could use their tax ID number to see if they were affected by the hack. Equifax also said, in response to questions from The Wall Street Journal, that some additional drivers' license information had been accessed. The company publicly disclosed in its Sept. 7 breach announcement that drivers' license numbers were accessed; the document submitted to the banking committee also includes drivers' license issue dates and states.

I'm shocked (Not!)

[whoever57]

This revelation comes just as it appears that the investigation of Equifax is being put on ice [reuters.com] and that the head of the CFPB thinks that his job included protecting the banks.

They should have pushed out this news last Friday or Monday when the market news would have buried it.

Re: I'm shocked (Not!)

[Brockmire]

Mitt Romney did not become President.

Re:I'm shocked (Not!)- a plague they are

[charlie merritt]

They are causing damage to people, yet 150 Million have absolutely no recourse? Somehow - where is one of those TV Lawyers with the huge class action (not that I'd join one)? We should go after these guys just like tobacco - they are not worth as much, but they should be made to disappear - a plague they are.

Re:

[burtosis]

It is now illegal again to form a class action against equifax, or even to bring suit yourself [slashdot.org], no matter how negligent they are or whatever they do no matter how criminal. You are forced into a one sided "arbitration" that is anything but an arbitration. The solution to this is to vote everyone responsible [reuters.com] out of office.

Re:

[Cederic]

It is now illegal again to form a class action against equifax, or even to bring suit yourself

No, it's not. Until you've learned to read and understand what you've read, consider avoiding sharing your idiocy in Slashdot comments.

Re:

[burtosis]

Correct, it's not illegal there is just no legal basis to sue anymore, no matter how wrong they are. The links to the evidence are posted above. Go ahead and actually show I'm wrong instead of wafting that rancid and ignorant attitude this way.

Re:

[Cederic]

Well, for a start the ruling was only on the legitimacy of mandatory arbitration clauses. Any company that doesn't have such a clause can be sued.

Then there are the legal reasons you might sue someone that have fuck all to do with a written contract. I've never signed a mandatory arbitration clause with Equifax, if they commit a tort against me then sure, I can sue them.

wafting that rancid and ignorant attitude this way

You appear to have quite enough of one yourself already.

Re:

[burtosis]

Well, for a start the ruling was only on the legitimacy of mandatory arbitration clauses. Any company that doesn't have such a clause can be sued. Then there are the legal reasons you might sue someone that have fuck all to do with a written contract. I've never signed a mandatory arbitration clause with Equifax, if they commit a tort against me then sure, I can sue them. You cannot use any service without already agreeing to an arcane library of terms. Or are you seriously comming on here to claim you don't have to agree to one with any company despite the continual Eula and forced contract articles reposted here? You cannot sue on an individual basis because you in this example would have to prove that not only did the information come from equifax, but direct proof of your damages, not to mention the court costs could easily top a few million USD. If you could, prove the Russian hacker collusion instead, that outta be simpler. There is no legal basis to sue individually though you may start a frivolous lawsuit at your own peril. Class action lawsuits are blocked so there is also no recourse. No matter how criminal they are there is no legal recourse. I've provided links to actual sources. Yet you just handwave.

You appear to have quite enough of one yourself already.

maybe you should have read the actual posts. You started the ad homenim, it just makes you look like an asshole who can't argue with logic or factual sources.

Re:

[Cederic]

You cannot use any service without already agreeing to an arcane library of terms. Or are you seriously comming on here to claim you don't have to agree to one

Equifax hold data about me. I haven't got a relationship with them, I didn't give them permission to capture, process or store my data, and if they misuse it then I abso-fucking-lutely can sue them.

You started the ad homenim, it just makes you look like an asshole who can't argue with logic or factual sources.

Irony overload.

Re:

[burtosis]

I explained how you have no legal basis to sue equifax no matter how criminal they are in this and similar matters. Your inability to address this, instead deflecting to say you could sue anyway, just proves my point. Go ahead and sue, you are a guarentee loss and possible countersuit. I'm just curious, has anyone told you you may suffer from Stockholm syndrome?

Re:

[Cederic]

No, you did not. You linked to a fucking slashdot discussion on the Senate choosing not to restrict certain clauses in contracts, and that has sweet fuck all to do with whether I can sue someone or not.

Tell you what, link to the fucking law that stops me suing Equifax. Because you're going to fucking need one to overturn several fucking decades of legal precedent.

Fuck me you're dim.

Re:

[Zxern]

Unless you specifically used their service for something like a credit check or whatever, you don't really have any legal standing to sue them.

All the data they collect on you, is gathered from 3rd parties and shared with/purchased by them. Any time you got a loan are signed up for a credit card, you agreed to allow the entity to share data with Equifax.

Re:

[Cederic]

Unless you specifically used their service for something like a credit check or whatever, you don't really have any legal standing to sue them.

So if I shoot your mother than as long as she didn't pay me for it, I'm in the clear?

The world does not work the way you think.

Re:

[Cederic]

Have you ever taken out a loan? Do you have a credit card? I don't know you, I have no reason to trust you, I wouldn't lend you money.

Using 'these guys' though I could assess the risks involved and determine whether I'm likely to get my money back. This means that I may indeed extend credit to you, if that risk is lower than the costs to me of covering it.

So you directly benefit, as you can now borrow money where you would otherwise have been unable. I benefit, as I can turn capital into income. The economy

Nothing to fear.

[140Mandak262Jamuna]

I mean the bozos who hired music majors as Chief Information Security Officer don't have anything to fear. The Consumer Financial Protection Bureau is being run by the person who hates it. He has returned all the funding back to congress. He has halted the investigation about the breach.

No body will be punished. No body will go to jail. There is nothing to fear, for the corporate CXOs

Re:

[omnichad]

Federal prisons need better harmonica players, if TV is anything to go by.

Re:

[omnichad]

The swamp water had to go somewhere. I guess leaking everywhere was an option.

Corporate death penalty

[Anonymous Coward]

This probably violates data breach laws in many states, since Equifax seems to have failed to fully disclose the nature of the breach in a timely manner. This corporation has been so irresponsible and harmed so many people that they no longer deserve to exist. Give them the corporate death penalty, which is done by revoking their corporate charter. Put the c-level executives in prison, including those who got golden parachutes to walk away from this situation. Given that they would be grossly negligent, those golden parachutes and the assets of Equifax should be taken and allocated to the victims of the data breach, much like what has happened with Bernie Madoff's estate. Until there are severe enough penalties for negligent security and data practices, these breaches will continue. At some point, they might become irrelevant just because everyone's personal information is already compromised. We actually have the ability to move to more secure methods of authenticating who we are, including public-key encryption and multi-factor authentication. Mandate this for financial institutions who are offering any sort of credit. If the authentication isn't done, the person who is given credit is not liable to pay anything back and make any negative credit reporting by the institution considered libel.

Re: Corporate death penalty

[guruevi]

You forgot the sarcasm tags. The Equifax breach has been fully forgotten by the public, the media has fully focused the public on some assholes distant divorce and whether or not our president had chocolate milk or almond milk this morning.

Maybe..

[SeattleLawGuy]

Maybe it would be easier to tell us what didn't get hacked...

No point in even worrying about this anymore

[Rick Schumann]

Not just 'the horse', but all the horses have left the barn, changed their names, and moved to a different planet. That's how far 'done' this is. There's no point in even worrying about whether or not your identity is going to be stolen, it's already done and nothing can change that now. All that's left is whether or not whatever criminals have your data decide it's worth ruining your life with, for fun-and-profit. No amount of anger, raging, hand-wringing, or sleep-losing will do anything about that.

Equifax, on the other hand, still need to have ALL their senior management dragged out into the street, heads chopped off, and planted on poles on Wall Street, as a WARNING to the rest of these assholes: DO NOT BE NEGLIGENT WITH OUR VERY MUCH PERSONAL DATA EVER AGAIN.

Re:

[omnichad]

DO NOT BE NEGLIGENT WITH OUR VERY MUCH PERSONAL DATA EVER AGAIN.

But, as you say, it still doesn't really matter at this point. It's already out there - it can't get much more out there than it already is.

Re:

[Rick Schumann]

Well, then, maybe some of these assholes need to be killed, for real. French revolution, all over again: get out the guillotine. Or an axe.

Re:

[burtosis]

Better hurry, autonomous weapons, automated manufacturing and weak AI are about to put us non wealthy humans out of the revolution business for good. Maybe 50 years, maybe 500 but it is going to come when a handful of people could easily kill off 99.9% of the population and yet make it up with automation. It might not be the best idea to put the technology that will have taken millions of lives to make, in the hands of a very few too ignorant and stupid to even realize what they have much less actually e

Re:

[Rick Schumann]

You know that kool-aid they keep handing you? Stop drinking it.

Re:

[Rick Schumann]

Yeah? Tell you what: chances are good some congresscritter got their identity stolen, too. One of them gets fucked over? We'll see some heads on poles, real quick.

This country goes down because some assholes on Wall Street were fucktards? There will be blood.

Re:

[burtosis]

This won't happen, nothing like this will happen. The only message that anyone is receiving is that they can absolutely and completely get away with being negligent with our data.

And it is the truth.

Im sorry but you are terribly wrong. The message they are recieving is that selling your most intimate data to the highest bidder, then selling it again, then abusing and committing half of all white collar crimes possible with it loads them so full of cash they barely can get away. Oh yea, it's now illegal to sue them too, no matter how criminal or negligent. I keep punching myself in the face to be sure this is all real and not some kind of horrible alternate timeline.

Re:

[Comrade Ogilvy]

The days of the Old Republic, people of such value to the honest citizenry very well might be stoned to death by an angry mob. (Not that Old Republic. The ones without Jedi and Sith.)

It's Time to Devalue Personal Information

[Anonymous Coward]

We need to pass legislation stating that merely having the personally identifiable information of another person is insufficient to prove the existence of a debt. Moreover, we need to completely redefine what it means to have proof of indebtedness. If SSN, Name, Home Address, and DOB weren't already useless for authentication, they sure as hell are useless now. For now, the only protection the individual has is to completely freeze all of their credit. At least then, you can demonstrate good faith effort

WTF

[Anonymous Coward]

"She added that email addresses aren't considered sensitive personal information because they are commonly searchable in public domains."
E-mails are sensitive personal information when linked with other personal information you piece of shit fuck.