2.5 Million More People Potentially Exposed in Equifax Breach

https://www.nytimes.com/2017/10/02/business/equifax-breach.html

Version 0 of 1.

Millions more people were affected by Equifax’s data breach than the credit bureau initially estimated, Equifax said on Monday.

The company increased its estimate on the number of Americans whose personal information was potentially exposed to 145.5 million, some 2.5 million more than it had previously disclosed.

The additional accounts were found during a forensic review by Mandiant, a cybersecurity firm hired by Equifax to investigate the attack, according to a company statement.

Equifax has been reeling since its announcement last month that hackers exploited a vulnerability in its website software to access its systems and extract sensitive personal information of millions of consumers. The material that was stolen included names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

Richard F. Smith, who stepped down last week as Equifax’s chief executive, is scheduled to testify on Tuesday before a congressional subcommittee that is investigating the theft and Equifax’s response to it. It is the first of four congressional hearings he is scheduled to speak at this week.

“I am deeply sorry that this occurred,” Mr. Smith said in prepared remarks released on Monday. “Equifax was entrusted with Americans’ private data and we let them down.”

Paulino do Rego Barros Jr., a longtime Equifax executive who was promoted after Mr. Smith’s departure to serve as the company’s interim chief executive, said that he was advised on Sunday that Mandiant had completed the forensic phase of its investigation and found the additional accounts that were potentially at risk.

“I directed that the results be promptly released,” Mr. Barros said in a statement. “Our priorities are transparency and improving support for consumers.”

Equifax said it would mail written notices to the 2.5 million newly identified people.

Mandiant’s review found no evidence that the thieves gained access to databases outside the United States, Equifax said. But 8,000 Canadian consumers were affected, and an investigation into whether the data of some British consumers was exposed remains in progress, the company said.