IE 11 is not supported. For an optimal experience visit our site on another browser.

Equifax breaks down just how bad last year's data breach was

More than 99 percent of affected consumers had their Social Security numbers exposed.
Image: Equifax
The Equifax building in Atlanta.Rhona Wise / EPA file

Equifax has revealed the exact scope of the massive breach that exposed sensitive data about millions of Americans — including confirmation that thousands of passports and driver's licenses were compromised along with the Social Security numbers of nearly all of the more than 146 million affected consumers.

The disclosure, made in a filing Monday with the Securities and Exchange Commission and provided to congressional committees investigating the breach, represents the first precise accounting of what hackers stole from Equifax, one of the nation's biggest credit reporting agencies. It said none of the data represented newly discovered compromised information.

Equifax had previously acknowledged that the Social Security numbers of most of the 146.6 million consumers who were affected were part of the hack. The new filing specifies that 145.5 million Social Security numbers were compromised — representing more than 99 percent of all of the affected consumers.

More than 200,000 credit card numbers and expiration dates were also collected, it said, as well as government-issued identification documents — like driver's licenses, taxpayer ID cards, passports and military IDs — that about 182,000 consumers uploaded when they disputed credit reports with Equifax.

Equifax said it notified all of those victims by U.S. mail rather than announce them publicly.

"Through the company's analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators," it said.

Image: Equifax Data Breach
A detail from Equifax's filing Monday with the Securities and Exchange Commission.Securities and Exchange Commission

Equifax has said the breach was discovered on July 29, 2017, but it didn't make that news public for almost a month and a half, on Sept. 7. Seven days later, Equifax revealed that the security hole exploited by the hackers was revealed in March 2017 but that it had failed to patch its systems.

Chief Executive Richard Smith retired under intense pressure on Sept. 26 as Congress and the Federal Trade Commission launched investigations.

In March, federal authorities charged Jun Ying, Equifax's former chief information officer, with insider trading linked to the data breach. The SEC said Ying sold all of his vested Equifax stock options after he learned of the risk to the company but before public investors were notified, saving himself more than $117,000 in potential losses.