Skip to content
Naked Security Naked Security

Equifax finds ANOTHER 2.4 million Americans hit by breach

...meanwhile, a new study says half of us haven't checked our credit reports or scores since the breach. No time like the present!

Just when you thought the Equifax clustermuck couldn’t get any muckier, the credit broker found another 2.4 million Americans affected by its 2017 breach.
The regurgitation of these fresh people’s data isn’t quite so unpalatable as it was when the original 145.5 million Americans (and another 15.2 Brits… plus some 100,000 Canadians) had their taxpayer IDs exposed, given that less sensitive personal data was involved, Equifax said.
In a statement posted this morning (1 March), Equifax said that these doxxed newbies only had partial drivers’ license information and their names stolen. That means that in the “vast majority of cases,” the data sets didn’t include home addresses, the respective drivers’ license states, dates of issuance or expiration dates…
…as opposed to the people originally identified in the breach, whose personal details, including taxpayer numbers and addresses, were stolen, leaving them vulnerable to identity theft.
The credit monger said that the 2.4 million aren’t part of that previously identified mass of affected Americans: a group whose number represented nearly half the country’s population. It identified the new group “as a result of ongoing analysis of data stolen” from the breach.
In its announcement on Thursday, Equifax gave a few details about the forensic examination that’s been under way since 29 July, when it first discovered the breach. (The incident was publicly announced on 7 September.)
Namely, forensic investigators have been using names and taxpayer IDs – Social Security Numbers (SSNs) – as “key data elements” to figure out who was affected by the cyberattack. That’s partly because forensics experts determined that the attackers’ main focus was to steal those SSNs. Because the SSNs of the newly identified victims hadn’t been stolen along with their partial drivers’ license information, they haven’t been informed before now.
Actually, this isn’t even about newly discovered stolen data, Equifax interim CEO Paulino do Rego Barros Jr. said in the post. Rather, it’s about…

…sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.

Well, OK. But it’s still the first time that those 2.4 million Americans are hearing about it, so it’s still new to a whole lot of somebodies. They’ll all be hearing about it directly from Equifax, the company says, and they’ll be offered the free identity theft protection and credit file monitoring services the credit broker has been offering to other affected people. The notifications will include information about how to register for those services.
Newcomers to the growing club of those who’ve been Equifax-ified should note that critics don’t much like the services that Equifax has offered in the wake of this string of nonpearls.
Those crummy pearls include the breach itself, the PIN screwup that put frozen credit files at risk, Equifax’s leaky customer portal in Argentina, the plunking of a breach info site onto the easy to typosquat and bafflingly convoluted domain (which Equifax then proceeded to scramble at least 3 times, sending customers to a fake phishing site for weeks). Then too, let’s not forget the insufficient, underprepared operators at the call centers, leaving alarmed customers facing delays and agents who couldn’t answer questions.
On Wednesday, after Massachusetts Senator Elizabeth Warren introduced legislation targeting credit bureaus’ bottom lines, she said that Equifax is “still making money off their own breach.”

Equifax may actually make money off this breach because it sells all these credit-protection devices, and even consumers who say, ‘Hey, I’m never doing business with Equifax again’ — well, good for you, but you go buy credit protection from someone else, they very well may be using Equifax to do the back office part.

So, what to do in light of the new findings? The same things we all should have done in light of the old findings: check our credit reports, and consider putting credit freezes in place.
It’s astonishing how many Americans haven’t bothered to take those precautions since the breach was announced in September. It’s dismaying that that includes friends and family who apparently don’t read news (AHEM!) about this or other breaches. Nor do they take such credit-protective, identity-theft-thwarting advice to heart.

According to a recent study from, half of US adults said they haven’t looked at a credit report since the Equifax pratfall. Another 18% said they’ve never checked out their credit report or credit score.
What the muck!!?! Somebody please set up some credit-score-checking afternoon teas or something!


In all honesty Miss Vaas, if you have read your credit report then you know that the information in those reports are vague and hard to understand. I am considered well educated but still find those reports difficult to read. I find that I have to compare those reports to gain any insight. Also getting those reports are not as easy as we are lead to believe. From the 3 major credit reporting sites only 2 (TransUnion & EquiFax) will let you get your report online. You must mail your request to Experian or sign up for the free trial of their service. In my humble opinion these services owe us for using our personal data so freely.


Tracy, you are quite right. The credit reference reports are the property of each subject, yet we have to pay to see them. We do not have automatic right to correct errors, and they allow any tinpot financial entity to trawl through them and add data whether it is correct or not. Their search doesn’t even leave a footprint.
In July 2006 Lowell of Leeds pinned someone else’s bad £2,729.95 Barclaycard debt onto my Equifax and Experian reports. The debtor was someone with the same first and last names and date of birth. Never mind that I had a middle name and he didn’t, and I had always lived over 100 miles away from his town and had never had a Barclaycard. Barclaycard kindly confirmed in writing that I was not the debtor. It took over three months to get the libellous comment removed. It took until 2008 to get Lowell to refund £50 towards my out-of-pocket expenses in proving my innocence. The Information Commissioner’s Office was of no help.


It is a situation like that which prompted me to keep better records 4caster. Here in the United States it is a bit easier to see our credit reports but none the less proving an error in that report is difficult and sometimes costly. Mine is a common name, especially among women, so trying to prove innocence it problematic. When you get a summons from a debt collector that refers to you as Ms., Miss or Mrs. when in fact you are male and they don’t believe you is a bit frustrating. The creditor’s information states the debtor was female but it took me over a year to get it cleared away and the cost was considerable. While I can see some benefits from companies like TransUnion, EquiFax, And Experian but their business model is geared to making money with no service given. Big data gathered by these companies it too haphazard and there is no accountability on how it is parsed and used. Like in your country, there is no where to really report these companies because there are no hard and true rules that apply to them. A big fail on our Government’s part. :)


Yes, pathetic. Our reaction will be swift when we experience economic pain enmass.
One reason for this apathy appears to be the perception that we are powerless against the onslaught of personal data theft. We are told we can’t buy stuff or get “freebies” without giving up our data. We are repeatedly asked for an endless stream of data without any idea of what it’s needed for, whether it’s surrender is required or allowed by law, or how, why, where, and for how long it will be retained. And since unamed third parties are thrown into the mix we don’t have any way to know where the data is going to be shared.
So how is a hacker getting my data any different than what I’m up against with corporate America?


“Somebody please set up some credit-score-checking afternoon teas or something!”
Why??? There is ‘NO CONFIDENCE’ in any of these agencies anyone. They have all made millions selling our personal information to third parties and will never take responsibility for their actions (or more properly ***inaction***).


That means that in the “vast majority of cases,” the data sets didn’t include home addresses, the respective drivers’ license states, dates of issuance or expiration dates…
So how many different database formats does EquiLax use for storing peoples’ data?
1. We hope the bad guys don’t steal this one.
2. We *really* hope they don’t grab this one.
3. Eh, this one actually wouldn’t be all that bad.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!