March 2, 2018 — Equifax Inc said today that it expects $275 million in costs in 2018 related to the credit reporting company’s massive data breach last year, offset by $75 million in insurance proceeds.
The costs mainly reflect technology and data security upgrades, legal fees, and the offering of free identity theft protection and credit monitoring services to the more than 147 million consumers who were affected by the cybersecurity incident.
Additionally, Equifax announced as a result of an ongoing analysis of data stolen in last year’s cybersecurity incident that it has confirmed the identities of U.S. consumers whose partial driver’s license information was taken. Equifax was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.
Further Investigation Clarifies Somewhat
Through these additional efforts, Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident. This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.
The methodology used in the company’s forensic examination of last year’s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack. This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim Chief Executive Officer. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
Equifax will notify these newly identified U.S. consumers directly and will offer identity theft protection and credit file monitoring services at no cost to them. Information about registering for these services will be included in the notification.
“We continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack,” Barros added. “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network.”0