Equifax Submits Additional Statements to Congress Regarding the Incident
Equifax submitted a statement to congressional committees to supplement the company’s responses regarding the extent of the incident impacting U.S. consumers. “As announced on September 7, 2017, the information stolen by the attackers primarily included:
“As a result of its analysis of the standardized data elements, including using data not stolen in the attack, the company was able to confirm the approximate number of impacted U.S. consumers for each of the following data elements: name, date of birth, Social Security number, address information, gender, phone number, driver’s license number, email address, payment card number and expiration date, TaxID, and driver’s license state. As stated above, Equifax notified the public on September 7, 2017 of the primary data elements that were stolen. With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access.”[i]
[i] EQUIFAX’S STATEMENT FOR THE RECORD REGARDING THE EXTENT OF THE CYBERSECURITY INCIDENT
ANNOUNCED ON SEPTEMBER 7, 2017 https://www.sec.gov/Archives/edgar/data/33185/000119312518154706/d583804dex991.htm, May 7, 2018 Form 8-K – Current report: SEC Accession No. 0001193125-18-154706 Filing Date 2018-05-07