Looks like that worst-ever Equifax data breach was ... actually worse.
In late 2017, the credit reporting agency divulged a systems breach exposed the personal information of 145.5 millions Americans, including names, Social Security numbers, birth dates, addresses, dispute documents, as well as some credit card account and driver's license numbers.
But the hackers also obtained tax identification numbers, email addresses, phone numbers, credit card expiration dates and driver’s license states and issuance dates, according to a document the credit bureau submitted to the Senate Banking Committee. That document was reviewed and first reported on by the Wall Street Journal.
Equifax spokesperson Meredith Griffanti confirmed the disclosure to the Senate Banking Committee, but said the additional compromised data applied to a very small number of consumers and the total number of people affected by the breach remains unchanged.
"By no means were we trying to mislead," Griffanti told Policygenius, pointing to the press release announcing the breach, which states the information "primarily" included Social Security numbers, birth dates, addresses and driver's license numbers.
"If we were to list all of the information in the press release [initially announcing the breach], it would have been a very long press release," she said. "We chose the information that affected the greatest number of consumers."
How will I know if I was affected?
You should already. Griffanti said Equifax sent direct mail notices to anyone who had their credit card information or dispute documents compromised. People were otherwise directed to use the bureau's lookup tool (Equifaxsecurity2017.com) to see if they were involved in the breach at the time it was announced. This tool is still available to the public, so if you didn't check then, you can (and should) check now. FYI, the tool lets you know if you were affected, but doesn't list the specific data of yours that was stolen.
What you can do to protect yourself
The additional information involved in the breach is sensitive, sure, but no more so than the data included in the initial disclosure. (Tax identification numbers are used by people who don't have a Social Security number, but need to file taxes.) So, if you took action after the breach was initially disclosed, you can stay in maintenance mode. If you didn't, well, consider this a call to action.
Steps people can take to protect themselves after any data breach include:
- Check your credit reports for signs of identity theft. You can get one from each major credit bureau for free every 12 months via AnnualCreditReport.com.
- Keep an eye on your credit and debit card accounts for fraudulent charges. Call your issuer ASAP to dispute anything odd you see — and to replace your card.
- Consider a credit freeze or credit lock, which block access to your credit reports and precludes thieves from opening new credit accounts in your name. There are usually fees associated with credit freezes, though Equifax is currently offering free credit locks to all U.S. consumers.
- Look into credit monitoring or identity theft insurance. Credit monitoring alerts you if any suspicious activity hits your report. So do identity theft insurance policies, which all cover the costs of cleaning up fraud.
- Do your taxes, like, right now, because that's the only way to minimize the odds of taxpayer ID theft (when a thief uses your Social Security number to steal your refund).
- Change your passwords across sensitive email and financial accounts — especially if you were using the same one for multiple access points.
We've got a full guide to surviving the Equifax data breach here.