UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 8-K
CURRENT REPORT
Pursuant to Section 13 or 15(d)
of the Securities Exchange Act of 1934
Date of report (Date of earliest event reported): May 4, 2018
EQUIFAX INC.
(Exact name of registrant as specified in Charter)
Georgia | 001-06605 | 58-0401110 | ||
(State or other jurisdiction of incorporation) |
(Commission File Number) |
(IRS Employer Identification No.) | ||
1550 Peachtree Street, N.W. Atlanta, Georgia |
30309 | |||
(Address of principal executive offices) | (Zip Code) |
Registrants telephone number, including area code: (404) 885-8000
Not Applicable
(Former name or former address, if changed since last report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
☐ | Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425) |
☐ | Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12) |
☐ | Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b)) |
☐ | Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c)) |
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company ☐
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Item 8.01. | Other Events. |
On May 4, 2018, Equifax Inc. (the Company) submitted a statement for the record to multiple Congressional committees regarding the cybersecurity incident announced on September 7, 2017 in which certain personally identifiable information of U.S. consumers was stolen. The statement provided additional detail on the data elements stolen in the cybersecurity incident related to those U.S. consumers and was made in response to, and as part of the Companys ongoing cooperation with, governmental requests for information. The additional detail provided in the statement, which is described below, does not identify additional consumers affected and does not require additional consumer notifications. A copy of the statement is attached hereto as Exhibit 99.1 and is incorporated by reference herein.
Detail on Documents Uploaded to Online Dispute Portal
As part of the Companys notification of affected consumers in 2017, the Company notified by direct mail the consumers who had uploaded dispute documents to the Companys online dispute portal that their dispute information was accessed, and in order to provide information to each consumer regarding his or her accessed images, the Company provided each consumer with a list of the specific files that he or she had uploaded onto the Companys online dispute portal and the dates of those uploads. Because the Company directly notified each impacted consumer, the Company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal.
In response to governmental requests for additional information, the Company recently analyzed the dispute documents stolen in the cybersecurity incident and determined the approximate number of valid U.S. government-issued identifications that had been uploaded to the dispute portal: 38,000 drivers licenses, 12,000 social security or taxpayer ID cards, 3,200 passports or passport cards and 3,000 other government-issued identification documents such as military IDs, state-issued IDs and resident alien cards. The government identification documents described above do not identify additional consumers affected. Since all of these consumers were previously notified of the specific files that he or she had uploaded to the dispute portal, no further notifications of consumers are required.
Detail on Data Elements
In addition to the Companys review of the dispute documents, in order to respond to governmental requests for additional information, the Company provided additional information regarding the approximate number of consumers impacted for each of the data elements that was stolen in the cybersecurity incident.
The attackers stole consumer records from a number of database tables with different schemas. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen. As a result of its analysis of the standardized data elements, including using data not stolen in the cybersecurity incident, the Company was able to
confirm the approximate number of those impacted U.S. consumers for each of the following data elements stolen in the cybersecurity incident: name (146.6 million), date of birth (146.6 million), Social Security number (145.5 million), address information (99 million), gender (27.3 million), phone number (20.3 million), drivers license number (17.6 million), email address (1.8 million), payment card number and expiration date (209,000), TaxID (97,500) and drivers license state (27,000). As noted above, the additional detail provided does not identify additional consumers affected, and does not require additional consumer notifications.
Item 9.01. | Financial Statements and Exhibits. |
(d) Exhibits
99.1 | Equifaxs statement for the record regarding the extent of the cybersecurity incident announced on September 7, 2017. |
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
Dated: May 7, 2018 | EQUIFAX INC. | |||||
/s/ John J. Kelley III | ||||||
John J. Kelley III | ||||||
Corporate Vice President, Chief Legal Officer and Corporate Secretary |
Exhibit 99.1
EQUIFAXS STATEMENT FOR THE RECORD
REGARDING THE EXTENT OF THE CYBERSECURITY INCIDENT
ANNOUNCED ON SEPTEMBER 7, 2017
Over the past several months, congressional committees have requested information from Equifax regarding the extent of the cybersecurity incident that Equifax reported on September 7, 2017. Accordingly, Equifax submits this statement to supplement the companys responses regarding the extent of the incident impacting U.S. consumers.
As announced on September 7, 2017, the information stolen by the attackers primarily included:
| names, Social Security numbers, birth dates, addresses and, in some instances, drivers license numbers of 143 million U.S. consumers (since updated) |
| credit card numbers of approximately 209,000 consumers |
| certain dispute documents with personal identifying information of approximately 182,000 consumers |
| limited personal information for certain United Kingdom and Canadian residents. |
As earlier statements made clear, the companys forensics experts found no evidence that Equifaxs U.S. and international core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyberattack. Furthermore, Equifax offered a comprehensive support package to impacted consumers on September 7, 2017.
The attackers stole consumer records from a number of database tables with different schemas, and the data elements stolen were not consistently labeled. For example, not every database table contained a field for drivers license number, and for more common elements like first name, one table may have labeled the column containing first name as FIRSTNAME, another may have used USER_FIRST_NAME, and a third may have used FIRST_NM. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the impacted consumers and Equifaxs notification obligations.
As a result of its analysis of the standardized data elements, including using data not stolen in the attack, the company was able to confirm the approximate number of impacted U.S. consumers for each of the following data elements: name, date of birth, Social Security number, address information, gender, phone number, drivers license number, email address, payment card number and expiration date, TaxID, and drivers license state. As stated above, Equifax notified the public on September 7, 2017 of the primary data elements that were stolen. With respect to the data elements of gender, phone number, and email addresses, U.S. state data breach notification laws generally do not require notification to consumers when these data elements are compromised, particularly when an email address is not stolen in combination with further credentials that would permit access. The chart that follows provides the approximate number of impacted U.S. consumers for each of the listed data elements.
1
Data Element Stolen |
Standardized Columns Analyzed1 |
Approximate Number of Impacted U.S. Consumers | ||
Name | First Name, Last Name, Middle Name, Suffix, Full Name | 146.6 million | ||
Date of Birth | D.O.B. | 146.6 million | ||
Social Security Number2 | SSN | 145.5 million | ||
Address Information | Address, Address2, City, State, Zip | 99 million | ||
Gender | Gender | 27.3 million | ||
Phone Number | Phone, Phone2 | 20.3 million | ||
Drivers License Number3 | DL# | 17.6 million | ||
Email Address (w/o credentials) | Email Address | 1.8 million | ||
Payment Card Number and Expiration Date |
CC Number, Exp Date | 209,000 | ||
TaxID | TaxID | 97,500 | ||
Drivers License State | DL License State | 27,000 |
The data described above is not additional stolen data, and it does not impact additional consumers. The table reflects a summary of the companys analysis of data stolen in last years cybersecurity incident. This includes the extra measures the company took to confirm the
1 | The attackers accessed records across numerous database tables with different schemas. Forensic investigators were able to standardize certain columns containing various types of information for further analysis to determine the impacted consumers and Equifaxs notification obligations. The full list of standardized columns is SSN, First Name, Last Name, Middle Name, Suffix, Gender, Address, Address2, City, State, ZIP, Phone, Phone2, DL #, DL License State, DL Issued Date, D.O.B., Canada SIN, Passport #, CC Number, Exp Date, CV2, TaxID, Email Address, Full Name. |
2 | This represents the number of individuals who are part of the impacted population because their SSN was stolen. The impacted population included individuals with a SSN not stolen together with a name in jurisdictions that require notification in such circumstances (e.g., Indiana). Individual Tax ID numbers (ITINs) were generally housed in the same field as the SSNs. For clarity, all ITINs stored in the SSN field were included in the 145.5 million impacted population and consumers could use their ITIN in the lookup tool to see if they were affected. For approximately 97,500 individuals, the additional TaxID field contained a value that was stolen together with a SSN included in the lookup tool. |
3 | This includes the 2.4 million individuals whose partial drivers license information and name were stolen, as described in the companys announcement on March 1, 2018. |
2
identities of U.S. consumers whose partial drivers license information was stolen but who were not in the previously identified affected population, as announced on March 1, 2018. Equifax identified these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.
Through the companys analysis, Equifax believes it has satisfied applicable requirements to notify consumers and regulators. It does not anticipate identifying further impacted consumers, as it has now completed analysis of government issued identification numbers stolen together with names. It should be noted that the additional analysis also confirmed that some of the standardized columns had no real data in the data fields (specifically the data fields for passport numbers, CV2s, and drivers license issue dates).
Separately from the elements described above, which were contained within database tables and files, and as previously reported in the companys press releases4 and responses to congressional questions, the attackers also accessed images uploaded to Equifaxs online dispute portal by approximately 182,000 U.S. consumers. As a national credit reporting agency, Equifax has a statutory obligation to facilitate disputes for consumers.
Between October and December 2017, Equifax notified by direct mail the consumers who had uploaded information to the dispute portal that their dispute information was accessed. In order to provide complete information to consumers regarding their accessed images, Equifax provided these consumers individualized notifications with a list of the specific files they had uploaded onto Equifaxs dispute portal and the dates of those uploads.
As part of the dispute process, some consumers may have uploaded government-issued identifications through the portal. Because the company directly notified each impacted consumer, the company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal. In response to congressional inquiry, we recently completed a manual review of the images that were uploaded by the impacted consumers. The chart that follows provides the approximate number of images of valid government-issued identifications.
Government-Issued Identification |
Approx. # of Images Uploaded | |||
Drivers License |
38,000 | |||
Social Security or Taxpayer ID Card |
12,000 | |||
Passport or Passport Card |
3,200 | |||
Other5 |
3,000 |
The data described above is not additional stolen data, and it does not impact additional consumers. The table reflects a summary of the companys recent analysis of government-issued identifications that were uploaded by consumers to Equifaxs online dispute portal and stolen by the attackers.
4 | See, e.g., Equifax press releases dated September 7, 2017, https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 and September 15, 2017, https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832. |
5 | Includes other types of identification documents such as military IDs, state-issued IDs and resident alien cards. |
3
Equifax is committed to working with Congress and providing accurate information about the cybersecurity incident reported on September 7, 2017. Please let us know if you have questions about the information provided in this statement.
4