Equifax breach exposed more than previously thought. The Equifax breach may have exposed more personal information of customers than previously thought.

Equifax+data+breach+CNN+graphic_jpg_10592263_ver1_0_1280_720

The Equifax hack could be worse than we thought. By Donna Borak and Kathryn Vasel

WASHINGTON (CNNMoney) — The Equifax breach may have exposed more personal information of customers than previously thought.

Additional information, including tax IDs and driver’s license details, may have been accessed in a hack that affected 145.5 million customers, according to confidential documents Equifax provided to the Senate Banking Committee seen by CNN.

The disclosure follows Equifax’s original announcement of the breach in September, which compromised sensitive data like names, date of birth, Social Security numbers and home addresses.

In its original announcement of the hack, the company had revealed that some driver’s license numbers were exposed. The new documents show that the license state and issue date might have also been compromised.

Equifax spokesperson Meredith Griffanti told CNNMoney Friday that the original list of vulnerable personal information was never intended to represent the full list of potentiality exposed information.

The new documents now raise questions of how much information hackers may have accessed in Equifax’s cyber attack.

In its response to lawmakers, Equifax said the pieces of information compiled is “not exhaustive,” but represents common personal information that hackers usually search for.

Criminals can use personal information like this to open bank accounts and lines of credit, like a credit card or mortgage, without the victim’s knowledge.

“The more information scammers have about you, the easier it is for them to impersonate you,” said Lauren Saunders, associate director at the National Consumer Law Center. “And the easier it is for them to get by the protocols that banks and others use to make sure they are dealing with the right individual.”

The unauthorized access occurred from May through July 2017. The hackers exploited a website application vulnerability to gain access to the files, according to the company.

New Bill to Give Government Power to Penalize Companies Who Suffer Data Breach

In efforts to motivate entities to protect their stores of sensitive consumer data, lawmakers want to penalize organizations who suffer major cyber-attacks.  The proposed bill would grant the Federal Trade Commission clearer authority to fine credit-reporting agencies.  The fines incurred by the companies would be paid to the millions of Americans affected by the breach.

Equifax could face a massive fine for another security breach — if two top Senate Democrats get their way

Redcode| By Tony Romm| January 10, 2018

Two top Senate Democrats are seeking broad new powers for the U.S. government to slap Equifax and its peers with massive fines if they suffer major cyber attacks — money that would then be returned to the millions of Americans affected by such a breach.

The idea is the centerpiece of the so-called Data Breach Prevention and Compensation Act, a bill to be introduced on Wednesday by Democratic Sens. Elizabeth Warren and Mark Warner. Cyber attacks may be inevitable, but the lawmakers feel that the federal government for too long has lacked the power to penalize entities that fail to protect their stores of sensitive consumer data.

Specifically, the bill would grant the Federal Trade Commission — an arm of the government that oversees companies’ security practices — clearer authority to fine credit-reporting agencies. That category includes TransUnion, Experian and Equifax, the latter of which was subject to a breach last year compromising the names, Social Security numbers and other sensitive information of more than 145 million Americans.

If the Democrats’ measure had been law at the time of the incident, Equifax would have been forced to fork over $1.5 billion to the feds, the lawmakers estimate. That’s because their measure would allow the FTC to fine credit-reporting agencies $100 for each consumer whose personal information was stolen by a hacker — and an another $50 for each additional piece of personal information compromised per individual. Total fines would be capped based on a credit-reporting agency’s revenue, but could increase further if the likes of Equifax failed to follow basic cybersecurity practices.

The bill by Warren and Warner would further ensure that half of the money paid to the U.S. government would ultimately be returned to affected consumers. Meanwhile, the Democratic duo would empower the FTC to probe and regulate the data security practices of credit-reporting agencies.

“Our bill imposes massive and mandatory penalties for data breaches at companies like Equifax — and provides robust compensation for affected consumers — which will put money back into peoples’ pockets and help stop these kinds of breaches from happening again,” Warren said in a statement.

For Warren and Warner, their proposal originates out of a broader frustration about the power and reach of credit-reporting agencies. These entities aren’t widely known, but they amass virtual warehouses of information about all Americans. The credit scores they compute affect consumers’ ability to purchase cars, rent apartments, obtain loans and more — but the watchdog FTC is limited in its oversight of the industry.

Yet even these powerful Democrats still face a daunting challenge in advancing their legislation to a vote on the Senate floor.

Lawmakers convened months of hearings in the aftermath of the Equifax breach, repeatedly grilling its top executives for their misdeeds. Disgust and outrage transcended party lines, leading Democrats and Republicans to expand their inquiries to include other major breaches, including a 2013 incident at Yahoo that affected three billion users.

Somehow, though, their intense, widespread criticism failed to translate into any new, meaningful movement on a slew of bills that might have addressed the problem. Congress couldn’t even advance basic legislation that aimed to refund consumers who had to purchase credit freezes from the very credit-reporting agencies, like Equifax, that had been hacked. Warren, in fact, had been a key driver of that idea.

Nor was it the first time that lawmakers failed to translate their outage into action: Similar breaches affecting Sony, Home Depot, Target and scores of other major companies in recent years have failed to convince Congress to adopt new federal rules governing how and when companies inform customers of a data breach. Many states have their own rules, which one major company — Uber — may have flouted in its handling of a 2016 security incident.

For now, though, Senate Democrats stressed that their new bill is necessary to fix the “out of whack” economics of cybersecurity, as Warren explained — the reality that there’s currently very little the FTC can do, even in the wake of a cyber attack that affected 40 percent of the U.S.

“In today’s information economy, data is an enormous asset,” added Warner in a statement. “But if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn’t be collecting it in the first place.”