Equifax has been sending some consumers hit by its data breach wrong letters

  • Equifax revealed last year that a massive hacking exposed the personal data of nearly 150 million consumers.
  • The most recent revelation involved partial driver's license data, but not Social Security numbers.
  • However, the company notified those people using inaccurate letters, the company confirmed to CNBC.

Richard Smith, former chairman and CEO of Equifax Inc., testifies before House Energy and Commerce hearing on "Oversight of the Equifax Data Breach: Answers for Consumers" on Capitol Hill in Washington, U.S., October 3, 2017.
Kevin Lamarque | Reuters
Richard Smith, former chairman and CEO of Equifax Inc., testifies before House Energy and Commerce hearing on "Oversight of the Equifax Data Breach: Answers for Consumers" on Capitol Hill in Washington, U.S., October 3, 2017.

Equifax, which suffered a massive data breach in 2017 that exposed the personal information of nearly 150 million consumers, has been sending out erroneous notification letters to a "small percentage" of those affected, the company confirmed Monday.

Hackers breached the credit reporting agency's records, exposing data belonging to millions of accounts monitored by Equifax. Since then, the company has been reaching out to people who were affected by the breach, offering free credit monitoring and other remediation efforts.

Yet an apparent glitch in Equifax's system has generated a batch of letters containing incorrect personal data, raising questions about the efficacy of the company's efforts — or whether there might be more shoes to drop. Since it first disclosed the breach last year, Equifax has upwardly revised the numbers affected on at least two separate occasions, though the latest group of consumers exposed did not include Social Security numbers, according to the company.

Over the weekend, one person who received a letter from Equifax reached out to CNBC, stating that a letter the company sent him had the correct address, but the wrong name.

"As a result of ongoing analysis of data stolen in last year's cybersecurity incident, we announced on March 1 that we had confirmed the identities of U.S. consumers whose partial driver's license information had been taken and that we would notify these newly identified U.S. consumers directly," Equifax said in a statement mailed to CNBC early Monday.

"We recently initiated this notification process by mail and have learned that a very small percentage of the notifications were sent to the wrong addresses due to the complex nature of determining the best address match to a consumer and, in some cases, mailing addresses on record may be out-of-date or incorrect," it added.

Equifax declined to say exactly how many wrong letters were sent out. However, it stressed that the notification letters "did not contain any credit data or other sensitive information. As soon as the issue was identified, it was contained, and remediated. The affected consumers will be sent new letters," the statement read.

The company has been grilled by Congress on why it waited weeks to inform the public when it first discovered the hacking. Amid the uproar, former CEO Richard Smith stepped down, and took responsibility for how the matter was handled.