2017’s Equifax Hack Affected Nearly 148 Million People

March 6, 2018

Last year, hackers targeted the credit reporting firm Equifax in one of the biggest data breaches in history. While the company initially estimated the cyberattack had affected 143 million consumers, it increased that number by 2.5 million a month later. Then last week Equifax announced a further 2.4 million people had been harmed by the hack, placing the grand total somewhere in the neighborhood of 148 million. Unlike the vast majority of consumers who had their social security information leaked, these newly added victims had portions of their driver’s license data compromised.

The company claims these breaches took so long to identify because it was initially focused on analyzing accounts where a social security number had been stolen. “This is not about newly discovered stolen data,” said Equifax’s interim CEO Paulino do Rego Barros Jr. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.” What’s more, the firm estimates that costs related to the hack could reach “well over $600 million,” although some of that amount will be covered by insurance.

Still, Equifax has some prominent critics who question the company’s commitment to transparency. “I spent five months investigating the Equifax breach and found the company failed to disclose the full extent of the hack,” said Senator Elizabeth Warren. “Enough is enough. We have to start holding the credit reporting industry accountable.” Senator Warren’s investigation even found evidence that the hackers had stolen consumers’ passport numbers, although Equifax denies this claim. The company remains in the government’s sights, however, with the House Energy and Commerce Committee conducting its own investigation currently. In fact, Representative Greg Walden says the company has only provided partial responses to the committee’s “repeated” requests for documents. “The American people deserve to know what went wrong, and our investigation will continue in full force until there are answers,” said Walden.


  1. Should Equifax executives be more transparent with authorities who are investigating last year’s hack? Why do you think the company would be reluctant to do so?
  2. Do you think the final tally of consumers affected by the Equifax hack will stay at 148 million or increase by even more?

Sources: John McCrank and Jim Finkle, “Equifax Breach Could Be Most Costly in Corporate History,” Reuters, March 2, 2018; Brian Fung, “Equifax’s Massive 2017 Data Breach Keeps Getting Worse,” The Washington Post, March 1, 2018. Photo by Marco Verch.

One Response to 2017’s Equifax Hack Affected Nearly 148 Million People

  • Equifax said the new total was the result of continued analysis of the breach, and that the company would notify the newly identified US consumers directly and offer identity theft protection and credit file monitoring services at no cost. However, the company said only the names and driver’s licence numbers were exposed in the newly discovered cases. The breach, which was blamed on a failure to patch all Equifax IT systems to prevent hackers from taking advantage of a vulnerability in the Apache Struts web application framework, also affected around 694,000 UK consumers. The UK data was restricted to name, date of birth, email address and a telephone number, but did not include any residential address information, password information or financial data, said Equifax. The announcement of the additional US consumers affected coincided with the release of the company’s earnings statement for the fourth quarter and full year that revealed the breach cost $114m after insurance payouts. The breach also saw the departure of CEO Richard Smith, chief information officer Susan Mauldin and chief security officer David Webb.

Leave a Reply