New documents provided recently by Equifax to US senators revealed that the breach the company experienced last year may have involved types of data not mentioned in the initial disclosure of the incident.
Last May, malicious hackers exploited a known vulnerability in the Apache Struts development framework to gain unauthorized access to Equifax systems. The vulnerability was patched March 7, the same day it was announced, but Equifax security team failed to install the updates in a timely manner, leaving 143 million individuals to suffer the consequences.
However, confidential documents sent by Equifax to the Senate Banking Committee, show that hackers may have stolen additional information, including tax ID numbers, email addresses, and driver’s license information.
Equifax has responded saying its initial disclosure on was never intended to include all the types of information that may have been compromised.
Senator Elizabeth Warren has responded by asking Equifax to provide clarifications on “conflicting, confusing and incomplete information” provided by the company to both the public and Congress.
“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” Sen. Warren wrote in a letter to Equifax.
Equifax has one week to provide Congress with a complete list of data elements confirmed or believed to have been compromised in the last Mays breach, with a timeline of its efforts provided to determine the full extent of the intrusion.
Last week Senator Warren published a 15-page report containing the findings of her personal investigation into the Equifax breach. Her investigation found that Equifax set up a flawed system to prevent data security incidents, ignored several warnings of risk to customer data, failed to disclose the breach to stakeholders in a timely fashion, and provided inadequate assistance and information to consumers.
Read the article on Security Week