Form 8-K

Dated: May 7, 2018

EQUIFAX INC.

/s/ John J. Kelley III

John J. Kelley III

Corporate Vice President, Chief Legal Officer

and Corporate Secretary

0001193125-18-154706.txt : 20180507 0001193125-18-154706.hdr.sgml : 20180507 20180507172402 ACCESSION NUMBER: 0001193125-18-154706 CONFORMED SUBMISSION TYPE: 8-K PUBLIC DOCUMENT COUNT: 2 CONFORMED PERIOD OF REPORT: 20180504 ITEM INFORMATION: Other Events ITEM INFORMATION: Financial Statements and Exhibits FILED AS OF DATE: 20180507 DATE AS OF CHANGE: 20180507 FILER: COMPANY DATA: COMPANY CONFORMED NAME: EQUIFAX INC CENTRAL INDEX KEY: 0000033185 STANDARD INDUSTRIAL CLASSIFICATION: SERVICES-CONSUMER CREDIT REPORTING, COLLECTION AGENCIES [7320] IRS NUMBER: 580401110 STATE OF INCORPORATION: GA FISCAL YEAR END: 1231 FILING VALUES: FORM TYPE: 8-K SEC ACT: 1934 Act SEC FILE NUMBER: 001-06605 FILM NUMBER: 18812264 BUSINESS ADDRESS: STREET 1: 1550 PEACHTREE ST NW CITY: ATLANTA STATE: GA ZIP: 30302 BUSINESS PHONE: 4048858000 MAIL ADDRESS: STREET 1: 1550 PEACHTREE ST NW CITY: ATLANTA STATE: GA ZIP: 30309 FORMER COMPANY: FORMER CONFORMED NAME: RETAIL CREDIT CO DATE OF NAME CHANGE: 19760222 8-K 1 d583804d8k.htm FORM 8-K Form 8-K

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 or 15(d)

of the Securities Exchange Act of 1934

Date of report (Date of earliest event reported): May 4, 2018

EQUIFAX INC.

(Exact name of registrant as specified in Charter)


Georgia	001-06605	58-0401110
(State or other jurisdiction of incorporation)	(Commission File Number)	(IRS Employer Identification No.)

1550 Peachtree Street, N.W. Atlanta, Georgia		30309
(Address of principal executive offices)		(Zip Code)

Registrant’s telephone number, including area code: (404) 885-8000

Not Applicable

(Former name or former address, if changed since last report)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐	Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐	Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐	Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐	Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 8.01.

Other Events.

On May 4, 2018, Equifax Inc. (the “Company”) submitted a statement for the record to multiple Congressional committees regarding the cybersecurity incident announced on September 7, 2017 in which certain personally identifiable information of U.S. consumers was stolen. The statement provided additional detail on the data elements stolen in the cybersecurity incident related to those U.S. consumers and was made in response to, and as part of the Company’s ongoing cooperation with, governmental requests for information. The additional detail provided in the statement, which is described below, does not identify additional consumers affected and does not require additional consumer notifications. A copy of the statement is attached hereto as Exhibit 99.1 and is incorporated by reference herein.

Detail on Documents Uploaded to Online Dispute Portal

As part of the Company’s notification of affected consumers in 2017, the Company notified by direct mail the consumers who had uploaded dispute documents to the Company’s online dispute portal that their dispute information was accessed, and in order to provide information to each consumer regarding his or her accessed images, the Company provided each consumer with a list of the specific files that he or she had uploaded onto the Company’s online dispute portal and the dates of those uploads. Because the Company directly notified each impacted consumer, the Company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal.

In response to governmental requests for additional information, the Company recently analyzed the dispute documents stolen in the cybersecurity incident and determined the approximate number of valid U.S. government-issued identifications that had been uploaded to the dispute portal: 38,000 driver’s licenses, 12,000 social security or taxpayer ID cards, 3,200 passports or passport cards and 3,000 other government-issued identification documents such as military IDs, state-issued IDs and resident alien cards. The government identification documents described above do not identify additional consumers affected. Since all of these consumers were previously notified of the specific files that he or she had uploaded to the dispute portal, no further notifications of consumers are required.

Detail on Data Elements

In addition to the Company’s review of the dispute documents, in order to respond to governmental requests for additional information, the Company provided additional information regarding the approximate number of consumers impacted for each of the data elements that was stolen in the cybersecurity incident.

The attackers stole consumer records from a number of database tables with different schemas. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen. As a result of its analysis of the standardized data elements, including using data not stolen in the cybersecurity incident, the Company was able to

confirm the approximate number of those impacted U.S. consumers for each of the following data elements stolen in the cybersecurity incident: name (146.6 million), date of birth (146.6 million), Social Security number (145.5 million), address information (99 million), gender (27.3 million), phone number (20.3 million), driver’s license number (17.6 million), email address (1.8 million), payment card number and expiration date (209,000), TaxID (97,500) and driver’s license state (27,000). As noted above, the additional detail provided does not identify additional consumers affected, and does not require additional consumer notifications.

Item 9.01.

Financial Statements and Exhibits.

(d) Exhibits



99.1		Equifax’s statement for the record regarding the extent of the cybersecurity incident announced on September 7, 2017.

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

EX-99.1 2 d583804dex991.htm EX-99.1 EX-99.1

Exhibit 99.1

EQUIFAX’S STATEMENT FOR THE RECORD

REGARDING THE EXTENT OF THE CYBERSECURITY INCIDENT

ANNOUNCED ON SEPTEMBER 7, 2017

Over the past several months, congressional committees have requested information from Equifax regarding the extent of the cybersecurity incident that Equifax reported on September 7, 2017. Accordingly, Equifax submits this statement to supplement the company’s responses regarding the extent of the incident impacting U.S. consumers.

As announced on September 7, 2017, the information stolen by the attackers primarily included:

•

names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million U.S. consumers (since updated)

•

credit card numbers of approximately 209,000 consumers

•

certain dispute documents with personal identifying information of approximately 182,000 consumers

•

limited personal information for certain United Kingdom and Canadian residents.

As earlier statements made clear, the company’s forensics experts found no evidence that Equifax’s U.S. and international core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyberattack. Furthermore, Equifax offered a comprehensive support package to impacted consumers on September 7, 2017.

The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled. For example, not every database table contained a field for driver’s license number, and for more common elements like first name, one table may have labeled the column containing first name as “FIRSTNAME,” another may have used “USER_FIRST_NAME,” and a third may have used “FIRST_NM.” With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifax’s notification obligations.

As a result of its analysis of the standardized data elements, including using data not stolen in the attack, the company was able to confirm the approximate number of impacted U.S. consumers for each of the following data elements: name, date of birth, Social Security number, address information, gender, phone number, driver’s license number, email address, payment card number and expiration date, TaxID, and driver’s license state. As stated above, Equifax notified the public on September 7, 2017 of the primary data elements that were stolen. With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access. The chart that follows provides the approximate number of impacted U.S. consumers for each of the listed data elements.


Data Element Stolen	Standardized Columns Analyzed¹	Approximate Number of Impacted U.S. Consumers
Name	First Name, Last Name, Middle Name, Suffix, Full Name	146.6 million
Date of Birth	D.O.B.	146.6 million
Social Security Number²	SSN	145.5 million
Address Information	Address, Address2, City, State, Zip	99 million
Gender	Gender	27.3 million
Phone Number	Phone, Phone2	20.3 million
Driver’s License Number³	DL#	17.6 million
Email Address (w/o credentials)	Email Address	1.8 million
Payment Card Number and Expiration Date	CC Number, Exp Date	209,000
TaxID	TaxID	97,500
Driver’s License State	DL License State	27,000

The data described above is not additional stolen data, and it does not impact additional consumers. The table reflects a summary of the company’s analysis of data stolen in last year’s cybersecurity incident. This includes the extra measures the company took to confirm the

The attackers accessed records across numerous database tables with different schemas. Forensic investigators were able to standardize certain columns containing various types of information for further analysis to determine the impacted consumers and Equifax’s notification obligations. The full list of standardized columns is SSN, First Name, Last Name, Middle Name, Suffix, Gender, Address, Address2, City, State, ZIP, Phone, Phone2, DL #, DL License State, DL Issued Date, D.O.B., Canada SIN, Passport #, CC Number, Exp Date, CV2, TaxID, Email Address, Full Name.

This represents the number of individuals who are part of the impacted population because their SSN was stolen. The impacted population included individuals with a SSN not stolen together with a name in jurisdictions that require notification in such circumstances (e.g., Indiana). Individual Tax ID numbers (ITINs) were generally housed in the same field as the SSNs. For clarity, all ITINs stored in the SSN field were included in the 145.5 million impacted population and consumers could use their ITIN in the lookup tool to see if they were affected. For approximately 97,500 individuals, the additional “TaxID” field contained a value that was stolen together with a SSN included in the lookup tool.

³	This includes the 2.4 million individuals whose partial driver’s license information and name were stolen, as described in the company’s announcement on March 1, 2018.

identities of U.S. consumers whose partial driver’s license information was stolen but who were not in the previously identified affected population, as announced on March 1, 2018. Equifax identified these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.

Through the company’s analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators. It does not anticipate identifying further impacted consumers, as it has now completed analysis of government issued identification numbers stolen together with names. It should be noted that the additional analysis also confirmed that some of the standardized columns had no real data in the data fields (specifically the data fields for passport numbers, CV2s, and driver’s license issue dates).

Separately from the elements described above, which were contained within database tables and files, and as previously reported in the company’s press releases⁴ and responses to congressional questions, the attackers also accessed images uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers. As a national credit reporting agency, Equifax has a statutory obligation to facilitate disputes for consumers.

Between October and December 2017, Equifax notified by direct mail the consumers who had uploaded information to the dispute portal that their dispute information was accessed. In order to provide complete information to consumers regarding their accessed images, Equifax provided these consumers individualized notifications with a list of the specific files they had uploaded onto Equifax’s dispute portal and the dates of those uploads.

As part of the dispute process, some consumers may have uploaded government-issued identifications through the portal. Because the company directly notified each impacted consumer, the company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal. In response to congressional inquiry, we recently completed a manual review of the images that were uploaded by the impacted consumers. The chart that follows provides the approximate number of images of valid government-issued identifications.


Government-Issued Identification	Approx. # of Images Uploaded
Driver’s License		38,000
Social Security or Taxpayer ID Card		12,000
Passport or Passport Card		3,200
Other⁵		3,000

The data described above is not additional stolen data, and it does not impact additional consumers. The table reflects a summary of the company’s recent analysis of government-issued identifications that were uploaded by consumers to Equifax’s online dispute portal and stolen by the attackers.

⁴	See, e.g., Equifax press releases dated September 7, 2017, https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 and September 15, 2017, https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832.

⁵	Includes other types of identification documents such as military IDs, state-issued IDs and resident alien cards.

Equifax is committed to working with Congress and providing accurate information about the cybersecurity incident reported on September 7, 2017. Please let us know if you have questions about the information provided in this statement.