The fallout from Equifax's 2017 mega breach continues.

As was first reported by the Associated Press, the credit reporting agency's lawyers sent a letter to the Senate Banking Committee last week revealing that thousands of images of passports were stolen in the breach. Consumers provided those images to the company to dispute inaccuracies in their credit reports.

The revelation comes after Equifax in February specifically denied that passport numbers were included in the breach.

In a statement to PCMag, Equifax spokeswoman Meredith Griffanti said the company "manually reviewed" the photos stolen from its dispute portal and "found 3,200 images of passports or passport cards."

Equifax says these are not new victims. The company already counted all the people whose passport images were stolen in its previously announced breach totals. "Consumers who had information accessed by the attackers have been notified and provided with a list of the files they had uploaded, as well as the dates of those uploads," Griffanti added.

The company had not fully analyzed the documents stolen from its dispute portal when it said no passport numbers were affected.

When it first disclosed the breach in September 2017, Equifax said it affected 143 million people, but a month later upped that estimate to 145.5 million. This March, Equifax announced it had discovered 2.4 million additional victims, bringing the total number of impacted individuals to 147.9 million. The company initiallty said the hackers made away with names, Social Security numbers, birth dates, addresses, some driver's license numbers, along with some credit card numbers, and other documents containing personal information.

Related Equifax Must Pay

Meanwhile, Equifax may wind up getting a just slap on the wrist from the feds over the incident. Reuters earlier this year reported that the new head of the Consumer Financial Protection Bureau, Mick Mulvaney, has scaled back the agency's investigation into the breach.

Further Reading

Security Reviews