There Are 2.5 Million More People in the Equifax Breach Than We Thought

By Kate Conger on at

The massive Equifax hack just keeps getting worse.

The company announced today that it lost personal information belonging to 2.5 million more people than it initially reported, bringing the total number of American consumers impacted by the breach to 145.5 million.

Mandiant, the cybersecurity forensics firm hired by Equifax to investigate the hack, completed its analysis of the incident and concluded that more information had been taken.

“Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process,” Equifax said in a press release.

Although this means that even more US consumers are screwed, Canadians potentially impacted by the hack got lucky. Equifax initially claimed that 100,000 Canadians’ information had been stolen, but it has downgraded that estimate to just 8,000. The company is still tallying how many UK residents are affected.

In addition to adding 2.5 million names to the breach lookup website that still isn’t working properly, Equifax says it will mail written notices to the newly-discovered affected customers “to minimise confusion.”

“I want to apologise again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements,” said Equifax’s interim CEO, Paulino do Rego Barros.

Meanwhile, Equifax’s former CEO Richard Smith is set to testify before a House subcommittee tomorrow. His prepared testimony, published today, is a brutal blow-by-blow of everything the company got wrong before and after the hack was discovered in early September.


More Security Posts: