Driving licences and passports compromised in 2017 security breach, Equifax now admits

Equifax reveals more details about the data and information compromised in 2017 security breach

Credit reference agency Equifax has admitted that around 38,000 driving licences and 3,200 passports were also compromised in last year's cyber breach.

The company has written to several US congressional committees to provide more information about the people and data caught up in the widescale attack.

It explained that data from thousands of people's driving licences and passports had also been compromised in the attack, which took place last September. That's in addition to the personal details of more than 146 million people the company has already admitted.

After conducting a further analysis into the breach, the company discovered that more document types had been targeted by hackers.

Equifax said an additional 12,000 social security and 3,000 other government identification documents - including military IDS and resident alien cards - were also affected.

The firm also reiterated the overall impact of the breach, including 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million addresses and 209,000 card numbers

"The company had not previously analysed the government-issued identifications contained in the images uploaded in the dispute portal," wrote the company in the letter.

"In response to governmental requests for additional information, the company recently analysed the dispute documents stolen in the cybersecurity incident and determined the approximate number of valid US government-issued identifications that had been uploaded to the dispute portal."

However, Equifax said it had not identified additional customers impacted by the hack.

"The government identification documents described above do not identify additional consumers affected," it explained.

"Since all of these consumers were previously notified of the specific files that he or she had uploaded to the dispute portal, no further notifications of consumers are required."

The firm also reiterated the overall impact of the breach, including 146.6 million names, 146.6 million dates of birth, 145.5 million social security numbers, 99 million addresses and 209,000 card numbers.

"In order to respond to governmental requests for additional information, the company provided additional information regarding the approximate number of consumers impacted for each of the data elements that was stolen in the cybersecurity incident," added the firm.

"With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardise certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen."