It’s been nearly a month since Equifax disclosed that it had been the victim of a “cybersecurity incident” that exposed the personal information of 143 million U.S. consumers, and as it turns out, the data breach at the credit reporting agency is even larger than the company first thought.
Equifax revealed Monday that the results of the forensic portion of its investigation into the data breach show that the breach actually exposed the personal information of 145.5 million consumers – 2.5 million more than the company first reported.
“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” the company’s newly appointed interim CEO, Paulino do Rego Barros, Jr. said Monday. “Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.”
Barros took over as the company’s CEO after Equifax’s previous CEO and chairman of the board, Richard Smith, abruptly announced his retirement last week in the fallout of the breach.
The breach also led to inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, the office of New York Attorney General Eric Schneiderman, the New York Department of Financial Services, a lawsuit from the state of Massachusetts, a lawsuit from the city of San Francisco, and a lawsuit from the city of Chicago.
Equifax’s new disclosure comes as the result of an ongoing investigation into the breach.
According to Equifax, the forensic portion of the investigation, which was conducted by cybersecurity firm Mandiant, showed that the personal information 2.5 million more consumers was exposed as part of the breach.
Equifax said Monday that Mandiant’s investigation did not identify any evidence of additional or new attacker activity or any access to new databases or tables.
Rather, the increase is the result of “Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process,” Equifax said Monday.
In order to “minimize confusion,” Equifax said Monday that it plans to mail written notices to all of the 2.5 million additional affected consumers.
Equifax said that the completed review also concluded that there is no evidence the attackers accessed databases located outside of the United States.
While the number of affected consumers in the U.S. increased, the opposite is true for Canadian residents.
Equifax previously stated that there may have been as many as 100,000 Canadians impacted by the breach, but the company said Monday that figure was “preliminary” and further investigation revealed the number of affected Canadians is much smaller.
According to Equifax, the completed review showed that the personal information of approximately 8,000 Canadian consumers was impacted by the breach.
“I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices,” Barros added. “We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”