• by Ray Schultz , February 11, 2018

Equifax is under fire from reports that its 2017 data breach was more serious than previously believed, and that it included email addresses and tax ID numbers.

On Friday, Senator Elizabeth Warren (D-Mass.) sent a letter to Paulino do Rego Barros Jr. , interim CEO of Equifax, citing “what appears to be misleading, incomplete, or contradictory information” provided to Congress and the public about the breach of data on 145 million Americans. She demanded answers within a week.

Equifax stated last year that hackers primarily accessed “names, Social Security numbers, birth dates, and, in some instances, driver’s license numbers…credit numbers…and certain dispute documents with personal identifying information,” Warren said.

But The Wall Street Journal reported on Friday that hackers accessed “"such data as tax identification numbers, email addresses, and drivers' license information beyond the license numbers [Equifax] originally disclosed,"  Warren added.

She continued that Equifax “failed to disclose any of this additional information” to the public.

Equifax spokeswoman Meredith Griffanti told AP that "in no way did we intend to mislead consumers."

Griffanti added that the company provided the banking finance committee with a “pretty exhaustive list,” AP reports. “We wanted to show them there was no stone unturned.”

However, there still are several unanswered questions, according to Warren.

For example, Equifax revealed to Congress that “attacker-accesses table” contained Tax ID numbers, email addresses, and passport numbers,” Warren stated.

But the firm is “now claiming that passport numbers were not compromised -- despite informing the Committee that they were part of the "attacker-accessed tables,"she said. 

Warren also alleged that the company “continues to dissemble and downplay the significance,” of the attack, and that it claims that email addresses ‘aren’t considered sensitive personal information.” She demanded the following answers within a week:

• A list of all data elements that Equifax has confirmed were accessed by hackers in the breach.
• A list of all data elements that Equifax has reason to believe may have been accessed by the hackers.
• A timeline of the company’ efforts to confirm whether the data elements were accessed.
• The process used by Equifax to inform the public that taxpayer identification numbers, email addresses, and drivers' license information were breached.

In a related development, Warren issued a critical staff report to Equifax last week, charging that the company had:

• Failed to notify Congress and regulators about the breach in a timely fashion
• Took advantage of federal contracting loopholes and failed to adequately protect sensitive IRS taxpayer data
• Provided inadequate assistance and information to consumers following the breach

According to the report, Equifax was awarded 2,106 Federal contracts worth over $120 million by such agencies as the General Services Administration, the Department of Justice, the Department of Homeland Security and the Equal Employment Opportunity Commission, over the past decade.

Calling for federal legislation to prevent breaches, the report also stated that Equifax had a flawed system to prevent and mitigate data security problems, and that it performed feeble monitoring of endpoint and email security.

“When a bank locks its doors at night, it doesn’t levee the money on the counter in the assumption that nobody will break in,” the report states. “It locks the cash in the vault. Equifax, on the other hand, retained sensitive information on easily accessible systems.”