Equifax Submits Additional Statements to Congress Regarding the Incident

Equifax submitted a statement to congressional committees to supplement the company’s responses regarding the extent of the incident impacting U.S. consumers.  “As announced on September 7, 2017, the information stolen by the attackers primarily included:

“As a result of its analysis of the standardized data elements, including using data not stolen in the attack, the company was able to confirm the approximate number of impacted U.S. consumers for each of the following data elements: name, date of birth, Social Security number, address information, gender, phone number, driver’s license number, email address, payment card number and expiration date, TaxID, and driver’s license state. As stated above, Equifax notified the public on September 7, 2017 of the primary data elements that were stolen. With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access.”[i]

[i] EQUIFAX’S STATEMENT FOR THE RECORD REGARDING THE EXTENT OF THE CYBERSECURITY INCIDENT

ANNOUNCED ON SEPTEMBER 7, 2017  https://www.sec.gov/Archives/edgar/data/33185/000119312518154706/d583804dex991.htm, May 7, 2018 Form 8-K – Current report: SEC Accession No. 0001193125-18-154706  Filing Date 2018-05-07