WASHINGTON–As part of its testimony before the Senate Banking Committee, Equifax has confirmed that more personal data was stolen in its September 2017 breach than had originally been believed.
While the total number of records breached–145.5 million–remains the same, the company said more of those people had email addresses, tax ID numbers and driver’s license information taken than had originally been reported.
Social Security numbers, birthdates, addresses, credit card numbers and other information was also taken by hackers.
The breach, which began on March 10, 2017, was caused by the company’s failure to patch the Apache Struts web application that hackers exploited.
More than 100 lawsuits have been filed, and the Federal Trade Commission, the Department of Justice, the State of New York, and regulators in Canada and the United Kingdom have all launched investigations.
The news of the broader breach comes at the same time a group of senators has demanded the CFPB confirm that it has dialed back its investigation of the breach, as CUToday.info reported here.
Earlier, Sen. Elizabeth Warren (D-MA) also issued a report of her own on the breach, as CUToday.info reported here.
In January, Warren and Sen. Mark Warner (D-VA) introduced draft legislation dubbed the Data Breach Prevention and Compensation Act that is designed "to hold large credit reporting agencies (CRAs) - including Equifax - accountable for data breaches involving consumer data."
Under her draft legislation, Warren said Equifax would have faced a $1.5-billion penalty.