Equifax breach included data on 10.9 million driver’s licenses

4:51 p.m Wednesday, Oct. 11, 2017 Business
The lastest revelations only deepen concerns about Equifax. (AJC file photo)

No wait, it gets worse for Equifax: The massive data breach announced last month by the company apparently included driver’s license data for nearly 11 million Americans.

The information, which could make it easier to commit identity theft and other fraud, was part of the breach first announced Sept. 7, according to the Wall Street Journal, which quoted “people familiar with the matter.”

That breach, which Equifax eventually said involved information about 145 million people, has put the Atlanta-based company in the national spotlight and in the crosshairs of consumer anger.

Clark Howard explains how to protect yourself.

News about the driver’s licenses will add to the taint on the firm’s reputation.

“This adds to the situation even if it doesn’t change the scope of the problem,” said Kevin Crowley, adjunct professor of finance at Emory University’s Goizueta School of Business. “Incrementally, the situation just keeps getting worse.”

Equifax did not respond to several inquiries from The Atlanta Journal-Constitution Wednesday.

The company had previously said that the theft had involved driver’s license information, but did not say how many. Since then, Equifax has privately told its corporate clients – mainly financial institutions – that data for 10.9 million licenses were taken, the Journal reported.

Personal and financial information is valuable – to both legitimate firms and crooks alike. The protections used by companies and consumers are simply inadequate, Crowley said. “It’s an arm’s race between security and hackers and we are losing the war.”

Companies must ramp up their defenses, he said. “It has created a vulnerability for our society. It is unacceptable.”

Equifax has managed the news as badly as it managed its data protection, wrote security expert Brian Krebs on his blog.

Consumers were, for a time, directed to a phony web site. Several top executives left the company in the days after the breach was announced, including two who had sold stock in August, after the company had discovered the breach but before it was made public.

CEO Richard Smith also retired, but then testified before Congress, sitting through a bipartisan condemnation.

This week, Equifax announced that the breach included data on 15.2 million people in Britain, then stumbled with an attempt to help consumers deal with their concerns, according to Krebs.

“It’s fairly terrifying when you realize that a company, which can’t even issue a press release without managing to omit the most important piece of information in it, wields so much power over consumers,” Krebs wrote. “I’ve been spending quite a bit of time looking at Equifax’s various Web properties … and I have to say it gets scarier the more I look.”

A driver’s license is often used to confirm a consumer’s identity, to verify spending, to apply for a new credit card or obtain a boarding pass at the airport.

A consumer can protect him or herself somewhat by asking a state’s motor vehicle bureau to cancel the license and issue a new one – a nuisance and an expense, but at least partial protection.

The larger danger is that the information stolen from Equifax can be used to forge a new identity. A license, for example, typically provides personal information that includes a name, addresses, height, weight and eye color, hair color and birth date.

Equifax has offered a year of free credit monitoring, but a consumer must act to sign up.

More than 60 million Americans checked their credit score or credit report in the first two weeks after the Equifax breach was announced, according to CreditCards.com.

But even more – about 71 million adults – seemed not to have heard anything at all about the breach, the survey said.

For consumers, the latest news is a clear message, said Matt Schulz, senior analyst for CreditCards.com: Do not grow complacent just because nothing bad seems to happen for a few weeks or months after a breach.

Every consumer should be diligent, regularly checking their credit and financial statements, he said. “The bad guys can be really patient. It is important everybody understand that.”

The huge amount of data amassed by companies like Equifax is an essential piece of the modern financial system. It also makes for an enticing and potentially lucrative target, Schulz said.

Consumers must act to protect themselves, because all their data is vulnerable, Schulz said. “The cake is baked. I don’t know how you unbake it.”

View full experience