Earlier this year, Senator Elizabeth Warren published a report charging that the Equifax hack was worse than the company initially disclosed, in part because hackers had accessed consumer passport information.
“Equifax failed to disclose the fact that the hackers gained access to consumers’ passport numbers,” says the report published by Warren’s office in February.
A passport breach poses obvious identity theft concerns, but it is also a national security risk. Security experts have previously identified passport theft as a terrorism threat.
At the time, Equifax denied that any passport data was stolen. Instead, the company claimed that hackers were unsuccessful in their attempt to hack passport data.
“The easiest way to understand this is that there was a field labeled passports [that was hacked] with no actual data in it,” Meredith Griffanti, an Equifax spokeswoman, told the New York Post in February.
But Equifax is now saying that passport data was stolen from several thousand consumers. The company made the admission in filings it submitted to the Securities and Exchange Commission (SEC) in response to an ongoing congressional investigation.
Hackers steal information on thousands of passports
The passport breach affected consumers who were trying to challenge information on their credit reports, according to the SEC filings. Equifax directed such consumers to submit complaints to an online dispute portal. The customers were then required by Equifax to submit scans of their ID cards to verify their identity in some cases -- information that was subsequently accessed in the 2017 hack.
Equifax says in the recent SEC filings that hackers accessed information uploaded to that dispute resolution center and made off with scans of 3,200 passports or passport cards. “As part of the dispute process, some consumers may have uploaded government-issued identifications through the portal,” Equifax explains in the SEC filing.
Though this particular aspect of the 2017 hack had not previously been disclosed to the public, Equifax says that it has already notified each affected customer individually. The company claims it had no legal duty to disclose the passport information being stolen to the rest of the general public.
“Because the company directly notified each impacted consumer, the company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal,” the filing says, adding that the “government-issued identifications that were uploaded by consumers to Equifax’s online dispute portal” were “stolen by the attackers.”
Stolen information and harder repercussions
Hackers also managed to steal scans of 38,000 driver’s licenses, 12,000 social security cards, and 3,000 forms of other ID from the same online portal.
Asked about why Equifax appeared to be giving inconsistent answers about whether passport data had been stolen, the company responded that it had been discussing a different aspect of the hack in the earlier answers it gave this year.
“Our response earlier this year regarding passports was related to the data elements contained in the database tables accessed by the attackers,” spokeswoman Meredith Griffanti tells ConsumerAffairs via email. “The analysis conducted on the data elements stolen from those tables found that there were no passport numbers within the passport field accessed by the attacker.”
Warren’s office is continuing to push for harsher repercussions for Equifax. Last month, she and two other lawmakers found that consumers had filed more than 20,000 complaints to Consumer Financial Protection Bureau (CFPB) following the cyber attack.