Equifax now says some passport info was stolen in breach

NEW YORK  — Equifax acknowledged a relatively small number of passport images and information were stolen as part of last year's security breach, despite previously denying such a thing occurred.

The credit monitoring company said 3,200 passport images were stolen last year, according to a letter sent last week by lawyers representing Equifax to the Senate Banking Committee. That's compared to the 148 million individuals that were impacted by the overall breach.

Equifax originally disclosed the breach back in September, but subsequent disclosures from the company show that more information had been stolen that originally reported. Originally Equifax said 145.5 million Americans were impacted, and earlier this year added an additional 2.4 million Americans to the list who had some non-identifying information stolen, bringing the total to 147.9 million.

The passport images stolen are not new individuals impacted by the breach, Equifax said, but instead are part of the original figure disclosed to the public last year. The images were found in what's known as the company's dispute portal, which was a website individuals used to dispute errors in their credit report.

"In the interest of completeness, we manually reviewed the images stolen from the dispute portal, and through this manual process we found 3,200 images of passports or passport cards that were stolen," said Equifax spokeswoman Meredith Griffanti.

The first signs that other pieces of personally-identifiable information were stolen by the attackers came as part of an investigation done by Senator Elizabeth Warren, D-Massachusetts. Personally-identifiable information, also called PII, is information specific to a particular person that could be used in identity theft, like a Social Security number, birthdate, mother's maiden name, etc. During Warren's investigation, Equifax did not acknowledge that passport information specifically had been stolen but did acknowledge that additional PII had been potentially compromised.

"After first denying the exposure of passport numbers, Equifax is finally coming clean," Warren said in a statement.