Equifax Hack Disclosed Driver's License Data for More Than 10 Million -- Update

By AnnaMaria Andriotis and Emily Glazer Features Dow Jones Newswires

Driver's license data for around 10.9 million Americans were compromised during the breach of Equifax Inc.'s systems, according to people familiar with the matter.

Continue Reading Below

The license information was accessed by hackers who also took vital personal information, including Social Security numbers, of potentially 145.5 million Americans. Not all those people would have had license information in Equifax's system.

Separately, Equifax said Tuesday that a file containing 15.2 million U.K. consumer records was attacked during the company's hack.

Equifax announced the breach, which also affected consumers in Canada, on Sept. 7. At that time, the company said that "in some instances" U.S. driver's license numbers were accessed, but didn't publicly say how many.

In recent weeks, Equifax has told customers, mainly financial institutions, that the driver's license information for 10.9 million consumers was accessed, the people said.

Equifax didn't immediately respond to a request for comment.

Continue Reading Below

The disclosure of driver's license information could give hackers even more information to use to try committing fraud. Although information varies by state, licenses typically include a person's name, date of birth, home address and personal details such as height and eye color.

People who had given driver's license information to Equifax were in many cases doing so as a way of verifying their identity with the company. This in some cases happened when consumers were using a webpage meant to resolve disputes about credit-report information.

The dispute-resolution page appears to have been at least one avenue hackers used to access the company's systems. This was done by hackers exploiting a security vulnerability in software that ran on the dispute portal's web application.

During congressional hearings last week, former Equifax CEO Richard Smith said the company had seen a public notification of this vulnerability. But an employee in one area of the company failed to properly notify others to patch the vulnerability. Compounding that error, Mr. Smith added, a scan of the company's systems meant to act as a backup failed to detect the lack of a patch.

This allowed hackers to roam in the company's data systems for more than four months and compromise consumers' personal information for more than two of those months before Equifax security staff noticed suspicious activity on its systems in late July.

The breach also led lawmakers at last week's hearings to raise concerns about credit-reporting firms' access to vast amounts of consumer data, with some calling for more regulatory oversight of Equifax and its peers.

In the U.K., Equifax on Tuesday said the hack had involved a file containing 15.2 million U.K. records dating from between 2011 and 2016. It added that the file contained "data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields."

Equifax said that it will contact 693,665 U.K. consumers who are at risk due to the information compromised. Most of the records, 14.5 million, may only contain the name and date of birth of certain U.K. consumers, the company added.

Write to AnnaMaria Andriotis at annamaria.andriotis@wsj.com and Emily Glazer at emily.glazer@wsj.com

(END) Dow Jones Newswires

October 10, 2017 16:16 ET (20:16 GMT)