The Equifax hack may be worse than previously thought. The national credit bureau revealed Monday that another 2.5 million people are believed to have gotten…
The Equifax hack may be worse than previously thought.
The national credit bureau revealed Monday that another 2.5 million people are believed to have gotten their personal information swiped during the cyber attack — bringing the total up to 145.5 million.
“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” newly appointed interim CEO, Paulino do Rego Barros, Jr. said in a statement.
“Our priorities are transparency and improving support for consumers,” he added. “I will continue to monitor our progress on a daily basis.”
According to Equifax, the additional US customers that may have been affected were not victims of a new attack. They just weren’t accounted for when officials initially tallied the numbers.
“I want to apologize again to all impacted consumers,” Barros said. “As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”
Equifax ultimately determined that there were more victims during a review of the data breach, which was first disclosed on Sept. 7 — more than five months after the hackers reportedly infiltrated the company’s servers.
The investigation was conducted by the forensic security firm Madiant.
“The completed review determined that approximately 2.5 million additional U. S. consumers were potentially impacted, for a total of 145.5 million,” Equifax said Monday. “Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.”
Equifax’s former CEO Richard Smith is scheduled to address a House subcommittee on Tuesday to discuss the data breach after being forced into retirement last week as a result.
Speaking Monday in a prepared statement, Smith said the hackers were able to access the company’s servers thanks to a flaw in its network, which the security department failed to fix — despite warnings from the US Computer Emergency Readiness Team.
“We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel,” Smith said. “I am deeply sorry that this occurred.”
Equifax plans to update the feature on its website — allowing US consumers to check if their information was stolen — to reflect the newly-listed consumers. The company said the site should be updated by Oct. 8.