UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

 

FORM 8-K

 

 

CURRENT REPORT

Pursuant to Section 13 or 15(d)

of the Securities Exchange Act of 1934

Date of report (Date of earliest event reported): May 4, 2018

 

 

EQUIFAX INC.

(Exact name of registrant as specified in Charter)

 

 

 

Georgia   001-06605   58-0401110

(State or other jurisdiction

of incorporation)

 

(Commission

File Number)

 

(IRS Employer

Identification No.)

1550 Peachtree Street, N.W.

Atlanta, Georgia

  30309
(Address of principal executive offices)   (Zip Code)

Registrant’s telephone number, including area code: (404) 885-8000

Not Applicable

(Former name or former address, if changed since last report)

 

 

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

 

Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

 

Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

 

Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

 

Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company   ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.  ☐

 

 

 


Item 8.01. Other Events.

On May 4, 2018, Equifax Inc. (the “Company”) submitted a statement for the record to multiple Congressional committees regarding the cybersecurity incident announced on September 7, 2017 in which certain personally identifiable information of U.S. consumers was stolen. The statement provided additional detail on the data elements stolen in the cybersecurity incident related to those U.S. consumers and was made in response to, and as part of the Company’s ongoing cooperation with, governmental requests for information. The additional detail provided in the statement, which is described below, does not identify additional consumers affected and does not require additional consumer notifications. A copy of the statement is attached hereto as Exhibit 99.1 and is incorporated by reference herein.

Detail on Documents Uploaded to Online Dispute Portal

As part of the Company’s notification of affected consumers in 2017, the Company notified by direct mail the consumers who had uploaded dispute documents to the Company’s online dispute portal that their dispute information was accessed, and in order to provide information to each consumer regarding his or her accessed images, the Company provided each consumer with a list of the specific files that he or she had uploaded onto the Company’s online dispute portal and the dates of those uploads. Because the Company directly notified each impacted consumer, the Company had not previously analyzed the government-issued identifications contained in the images uploaded in the dispute portal.

In response to governmental requests for additional information, the Company recently analyzed the dispute documents stolen in the cybersecurity incident and determined the approximate number of valid U.S. government-issued identifications that had been uploaded to the dispute portal: 38,000 driver’s licenses, 12,000 social security or taxpayer ID cards, 3,200 passports or passport cards and 3,000 other government-issued identification documents such as military IDs, state-issued IDs and resident alien cards. The government identification documents described above do not identify additional consumers affected. Since all of these consumers were previously notified of the specific files that he or she had uploaded to the dispute portal, no further notifications of consumers are required.

Detail on Data Elements

In addition to the Company’s review of the dispute documents, in order to respond to governmental requests for additional information, the Company provided additional information regarding the approximate number of consumers impacted for each of the data elements that was stolen in the cybersecurity incident.

The attackers stole consumer records from a number of database tables with different schemas. With assistance from Mandiant, a cybersecurity firm, forensic investigators were able to standardize certain data elements for further analysis to determine the consumers whose personally identifiable information was stolen. As a result of its analysis of the standardized data elements, including using data not stolen in the cybersecurity incident, the Company was able to


confirm the approximate number of those impacted U.S. consumers for each of the following data elements stolen in the cybersecurity incident: name (146.6 million), date of birth (146.6 million), Social Security number (145.5 million), address information (99 million), gender (27.3 million), phone number (20.3 million), driver’s license number (17.6 million), email address (1.8 million), payment card number and expiration date (209,000), TaxID (97,500) and driver’s license state (27,000). As noted above, the additional detail provided does not identify additional consumers affected, and does not require additional consumer notifications.

 

Item 9.01. Financial Statements and Exhibits.

(d) Exhibits

 

99.1    Equifax’s statement for the record regarding the extent of the cybersecurity incident announced on September 7, 2017.


SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

 

Dated: May 7, 2018       EQUIFAX INC.
     

/s/ John J. Kelley III

      John J. Kelley III
     

Corporate Vice President, Chief Legal Officer

and Corporate Secretary