Equifax finds ANOTHER 2.4 million Americans hit by breach

Just when you thought the Equifax clustermuck couldn’t get any muckier, the credit broker found another 2.4 million Americans affected by its 2017 breach.

The regurgitation of these fresh people’s data isn’t quite so unpalatable as it was when the original 145.5 million Americans (and another 15.2 Brits… plus some 100,000 Canadians) had their taxpayer IDs exposed, given that less sensitive personal data was involved, Equifax said.

In a statement posted this morning (1 March), Equifax said that these doxxed newbies only had partial drivers’ license information and their names stolen. That means that in the “vast majority of cases,” the data sets didn’t include home addresses, the respective drivers’ license states, dates of issuance or expiration dates…

…as opposed to the people originally identified in the breach, whose personal details, including taxpayer numbers and addresses, were stolen, leaving them vulnerable to identity theft.

The credit monger said that the 2.4 million aren’t part of that previously identified mass of affected Americans: a group whose number represented nearly half the country’s population. It identified the new group “as a result of ongoing analysis of data stolen” from the breach.

In its announcement on Thursday, Equifax gave a few details about the forensic examination that’s been under way since 29 July, when it first discovered the breach. (The incident was publicly announced on 7 September.)

Namely, forensic investigators have been using names and taxpayer IDs – Social Security Numbers (SSNs) – as “key data elements” to figure out who was affected by the cyberattack. That’s partly because forensics experts determined that the attackers’ main focus was to steal those SSNs. Because the SSNs of the newly identified victims hadn’t been stolen along with their partial drivers’ license information, they haven’t been informed before now.

Actually, this isn’t even about newly discovered stolen data, Equifax interim CEO Paulino do Rego Barros Jr. said in the post. Rather, it’s about…

…sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.

Well, OK. But it’s still the first time that those 2.4 million Americans are hearing about it, so it’s still new to a whole lot of somebodies. They’ll all be hearing about it directly from Equifax, the company says, and they’ll be offered the free identity theft protection and credit file monitoring services the credit broker has been offering to other affected people. The notifications will include information about how to register for those services.

Newcomers to the growing club of those who’ve been Equifax-ified should note that critics don’t much like the services that Equifax has offered in the wake of this string of nonpearls.

Those crummy pearls include the breach itself, the PIN screwup that put frozen credit files at risk, Equifax’s leaky customer portal in Argentina, the plunking of a breach info site onto the easy to typosquat and bafflingly convoluted domain equifaxsecurity2017.com (which Equifax then proceeded to scramble at least 3 times, sending customers to a fake phishing site for weeks). Then too, let’s not forget the insufficient, underprepared operators at the call centers, leaving alarmed customers facing delays and agents who couldn’t answer questions.

On Wednesday, after Massachusetts Senator Elizabeth Warren introduced legislation targeting credit bureaus’ bottom lines, she said that Equifax is “still making money off their own breach.”

Equifax may actually make money off this breach because it sells all these credit-protection devices, and even consumers who say, ‘Hey, I’m never doing business with Equifax again’ — well, good for you, but you go buy credit protection from someone else, they very well may be using Equifax to do the back office part.

So, what to do in light of the new findings? The same things we all should have done in light of the old findings: check our credit reports, and consider putting credit freezes in place.

It’s astonishing how many Americans haven’t bothered to take those precautions since the breach was announced in September. It’s dismaying that that includes friends and family who apparently don’t read news (AHEM!) about this or other breaches. Nor do they take such credit-protective, identity-theft-thwarting advice to heart.

According to a recent study from CreditCards.com, half of US adults said they haven’t looked at a credit report since the Equifax pratfall. Another 18% said they’ve never checked out their credit report or credit score.

What the muck!!?! Somebody please set up some credit-score-checking afternoon teas or something!