The credit rating agency said it didn’t originally announce “potential” data points, like tax identification numbers, that “may
have been accessed” by hackers.

Hackers stole more data from Equifax in a breach last year than initially thought.

In September, the Atlanta, GA-based credit giant revealed a huge data breach, including names, social security numbers, birth
dates, home addresses, and in some cases driver’s license numbers. It was later confirmed over 145 million were affected,
primarily Americans, but also some Canadians and British citizens.

The hack became the largest single data breach reported in 2017.

But documents seen by members of the Senate Banking Committee suggest the types of data stolen were wider than the company first

A letter published Friday by committee member Sen. Elizabeth Warren (D-MA) to acting Equifax chief executive Paulino do Rego
Barros summarized the senator’s five-month investigation into the Equifax breach, which said exposure of tax identification
numbers (TINs), email addresses, and additional license information — such as issue dates and by which state — was not
originally disclosed.

The news of the documents was first reported by The Wall Street Journal.

Tax identification numbers are usually issued by the Internal Revenue Service to workers who aren’t eligible for a Social Security
number, like foreign nationals, in order to report income and file tax returns.

Tax identification numbers were likely exposed because they were found in the same portion of the database where other tax
numbers, like Social Security numbers, were stored.

Commenting in several tweets, Warren said: “In October, when I asked the CEO about the precise extent of the breach, he couldn’t
give me a straight answer. So for five months, I investigated it myself.”

“My investigation revealed the depth of the breach and cover-up at Equifax,” she added. “And since I published the report, Equifax
has confirmed it is even worse than they told us.”

When reached, an Equifax spokesperson called the Journal’s headline “extremely misleading,” but confirmed that some additional
data points were impacted by the breach.

“We are fully aware — and have been — of the data that was stolen,” said spokesperson Meredith Griffanti in an email to ZDNet.

The company said it has always been up front about the data “primarily included” in the breach, but recently gave the Senate
Banking Committee data points “that may have been accessed that we categorized and analyzed in the forensic investigation.”

“Some of these were impacted — and some, like passports or [card verification numbers] for example, were not,” said Griffanti.

“We sent direct mail notices to those consumers whose credit card numbers or dispute documents with [personal data] were
impacted,” the spokesperson confirmed.