SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
Pursuant to Section 13 or 15(d)
of the Securities Exchange Act of 1934
Date of report (Date of earliest event reported): May 4, 2018
(Exact name of registrant as specified in Charter)
(State or other jurisdiction
1550 Peachtree Street, N.W.
|(Address of principal executive offices)||(Zip Code)|
Registrants telephone number, including area code: (404) 885-8000
(Former name or former address, if changed since last report)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
|☐||Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)|
|☐||Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)|
|☐||Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))|
|☐||Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))|
Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).
Emerging growth company ☐
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
|Item 8.01.||Other Events.|
On May 4, 2018, Equifax Inc. (the Company) submitted a statement for the record to multiple Congressional committees regarding the cybersecurity incident announced on September 7, 2017 in which certain personally identifiable information of U.S. consumers was stolen. The statement provided additional detail on the data elements stolen in the cybersecurity incident related to those U.S. consumers and was made in response to, and as part of the Companys ongoing cooperation with, governmental requests for information. The additional detail provided in the statement, which is described below, does not identify additional consumers affected and does not require additional consumer notifications. A copy of the statement is attached hereto as Exhibit 99.1 and is incorporated by reference herein.
Detail on Documents Uploaded to Online Dispute Portal
As part of the Companys notification of affected consumers in 2017, the Company notified by direct mail the consumers who had uploaded dispute documents to the Companys online dispute portal that their dispute information was accessed, and in order to provide information to each consumer regarding his or her accessed images, the Company provided each consumer with a list of the specific files that he or she had uploaded onto the Companys online dispute portal and the dates of those uploads. Because the Company directly notified each impacted consumer, the Company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal.
In response to governmental requests for additional information, the Company recently analyzed the dispute documents stolen in the cybersecurity incident and determined the approximate number of valid U.S. government-issued identifications that had been uploaded to the dispute portal: 38,000 drivers licenses, 12,000 social security or taxpayer ID cards, 3,200 passports or passport cards and 3,000 other government-issued identification documents such as military IDs, state-issued IDs and resident alien cards. The government identification documents described above do not identify additional consumers affected. Since all of these consumers were previously notified of the specific files that he or she had uploaded to the dispute portal, no further notifications of consumers are required.
Detail on Data Elements
In addition to the Companys review of the dispute documents, in order to respond to governmental requests for additional information, the Company provided additional information regarding the approximate number of consumers impacted for each of the data elements that was stolen in the cybersecurity incident.
The attackers stole consumer records from a number of database tables with different schemas. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen. As a result of its analysis of the standardized data elements, including using data not stolen in the cybersecurity incident, the Company was able to
confirm the approximate number of those impacted U.S. consumers for each of the following data elements stolen in the cybersecurity incident: name (146.6 million), date of birth (146.6 million), Social Security number (145.5 million), address information (99 million), gender (27.3 million), phone number (20.3 million), drivers license number (17.6 million), email address (1.8 million), payment card number and expiration date (209,000), TaxID (97,500) and drivers license state (27,000). As noted above, the additional detail provided does not identify additional consumers affected, and does not require additional consumer notifications.
|Item 9.01.||Financial Statements and Exhibits.|
|99.1||Equifaxs statement for the record regarding the extent of the cybersecurity incident announced on September 7, 2017.|
Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
|Dated: May 7, 2018||EQUIFAX INC.|
|John J. Kelley III|
Corporate Vice President, Chief Legal Officer
and Corporate Secretary