For the first time, Equifax is revealing just how much personal data was exposed in the massive data breach that affected more than 148 million Americans.

In a new filing with the Securities and Exchange Commission, the credit reporting agency broke down in detail the types of – and how much exactly – sensitive personal information was exposed to hackers in the breach. A statement for the record from Equifax included in the SEC filing breaks down what types of personal information and data was exposed in the September 2017 data breach.

The disclosure comes at the urging of several Congressional committees. According to Equifax, the company recently sent a letter to several Congressional committees providing additional detail on the data that was exposed in the breach. 

The credit agency did not reveal any new, previously unknown victims of the breach, but it did detail the types of identifiable information, and how much of it, that was left exposed because of the breach.

In its letter, Equifax said that the names and dates of birth for approximately 146.6 million people were exposed, as well as 145.5 million Social Security numbers, the address information for 99 million people, the gender data for 27.3 million people, 20.3 million consumers’ phone numbers, 17.6 million driver’s license numbers, 1.8 million email addresses, 209,000 payment card numbers and expiration dates, 97,500 tax ID numbers, and the state information for 27,000 driver’s licenses. See the chart below for a full breakdown. 

equifaxchart1
(Click to enlarge; Source: Equifax's SEC filing

Additionally, Equifax noted that the hackers also gained access images uploaded to the company's online dispute portal by approximately 182,000 consumers. 

Equifax also explained in detail what type of image files and documents from the credit agency’s online dispute portal were stolen through the hack, including:

  • 38,000 driver's licenses
  • 12,000 Social Security and tax ID cards
  • 3,200 passports and passport cards
  • 3,000 other documents, including military and state IDs and resident alien cards.

Equifax explained in its letter that this set of victims were notified via direct mail between October and December 2017.

Also in its letter, Equifax asserted that "the company’s forensics experts found no evidence that Equifax’s US and international core consumer, employment and income, or commercial credit reporting databases were accessed as part of the cyber attack."

According to Equifax, it is releasing this information as part of its "commitment to transparency."