Content, Breach

Equifax Admits Personal Passport Info Stolen in Massive Breach

Equifax has admitted that passport information belonging to 3,200 Americans was among the 150 million records it left exposed in a massive security breach last year.

Three months after insisting that no passport information was involved in the heist, the credit rater recanted -- well, sort of recanted in a "yes, but" fashion.

Here’s a quick look back: In September 2017, Equifax disclosed that it had left open a trove of personal data on nearly half of all adult Americans, some six weeks after the incident had occurred. Then in February, the credit agency contended that no passport information had been compromised. But that was then and this is now: According to a letter sent last week to the Senate Banking Committee, Equifax stated that the stolen passport images don’t add to the total number of people affected by the breach, the Associated Press (AP) reported. The images were apparently located in an online “dispute portal” used by consumers to contest credit reporting errors in their records.

"In the interest of completeness, we manually reviewed the images stolen from the dispute portal, and through this manual process we found 3,200 images of passports or passport cards that were stolen," an Equifax spokesperson told the AP.

Passport Numbers: Safe

Vox got a bit more information: Equifax said that no passport numbers were found in a post mortem analysis of the “data elements contained in the database tables accessed by the attackers.” Because the company had already directly notified consumers impacted by the breach, it didn’t scan the government-issued IDs, including passports, in the portal until Congress asked it to do so.

That subsequent examination uncovered 38,000 driver’s licenses, 12,000 social security or taxpayer ID cards, the 3,200 passports or passport cards and 3,000 other government-issued IDs, Equifax said in an 8-K filing dated May 7. “Since all of these consumers were previously notified of the specific files that he or she had uploaded to the dispute portal, no further notifications of consumers are required,” Equifax said in the regulatory filing.

Last February, a report on the Equifax flap delivered by Senator Elizabeth Warren (D-MA) scalded the credit rater for its shoddy handling of the breach, pointing specifically to the passport numbers of a number of unidentified consumers. At the time Equifax denied the charge.

“A months-long investigation by my office revealed that Equifax had failed to fully disclose the scope of compromised information,” Warren told Vox. “After first denying the exposure of passport numbers, Equifax is finally coming clean. It’s unacceptable that the company has taken months to tell the whole truth after this massive breach.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.