Last year’s worst hack exposed even more information than previously believed, further highlighting vulnerabilities created by the credit-monitoring system.
Between May and July of last year, hackers stole 145 million Americans’ Social Security numbers, birthdays, driver’s license numbers, and addresses from Equifax, one of the three largest credit reporting agencies in the country. The Wall Street Journal, reviewing documents submitted to Congress, now reports that stolen data also included tax identification numbers and driver’s license states and issuance dates. Some email addresses were also acquired by hackers.
The additional data could make it even easier for hackers to open credit lines or otherwise exploit victim’s identities. The theft of tax ID numbers is particularly concerning, since it may increase the risk of fraudulent tax filings.
More from FORTUNE
Get Data Sheet, Fortune’s technology newsletter.
As with the original disclosures, the additional hacked data is particularly disturbing because victims did not choose to entrust it to Equifax in the first place. Credit-reporting agencies like Equifax gather data on most adult Americans from a variety of sources, including retailers, employers and even social media, while aggressively marketing their ability to keep it all safe.
The credit-scoring company says its original disclosures of hacked data were not meant to be comprehensive. But Democratic Sen. Elizabeth Warren on Friday sent a letter to Equifax accusing the company of issuing “incomplete, confusing and contradictory statements” about the extent of the hack. Warren’s office has alleged that passport numbers, which could be used to create fake immigration documents, were also among the stolen data, but Equifax has thus far denied that claim.