Equifax revealed Thursday that an additional 2.4 million people’s personal information was stolen in the company’s 2017 data breach.
Initially, the credit reporting agency said in September 2017 that the names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, of approximately 143 million consumers were stolen in the data breach.
Then, one month later, the company revealed that the breach was actually larger than first thought, increasing the number of victims to approximately 145.5 million.
Now, it turns out that the number of victims is actually closer to 148 million.
Equifax said Thursday that approximately 2.4 million more U.S. consumers had their names and partial driver’s license information stolen in the breach.
The company said that this additional affected population was discovered as part of its ongoing analysis of the breach, but was not included in the previously identified number of victims.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Equifax’s interim CEO. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
According to the company, the method used in its forensic examination of the breach focused on Social Security numbers and names as the key data elements to identify the people affected by the breach.
The company said that the investigation was handled that way, in part, because forensics experts determined that the hackers predominately focused on stealing Social Security numbers.
These newly identified victims were not previously informed because their Social Security numbers were not stolen together with their partial driver’s license information, the company said.
According to the company, the additional victims were discovered by referencing other information in proprietary company records that the hackers did not steal and by engaging the resources of an external data provider to confirm the identities of the people whose partial driver’s license information was taken.
The company said that the information was partial because, in the vast majority of cases, it did not include the consumers’ home addresses, the states where their driver’s license was issued, the dates of issuance, or expiration dates.
Equifax said that it will notify these newly identified victims directly, and will offer them identity theft protection and credit file monitoring services at no cost.
After notifying these customers, Equifax “believes it will have met all applicable requirements to notify consumers,” the company said.
The company cautioned that its forensics experts found no evidence to this point that its core consumer, employment and income, or commercial credit reporting databases were accessed as part of the breach.
“We continue to take broad measures to identify, inform, and protect consumers who may have been affected by this cyberattack,” Barros said. “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network.”