Equifax adds 2.5M to total affected by breach as its former CEO heads to Washington
Equifax adds 2.5M to total affected by breach as its former CEO heads to Washington

The news that the total number of people potentially impacted by the Equifax breach has increased 2.5 million to 145.5 million comes as the company's former CEO is set to testify before Congress to explain the incident.

The new figure was tallied after the company completed the forensic portion of its investigation into a data breach that was first discovered on July 29 which saw its customer's Social Security numbers, birth dates, addresses and driver's license numbers being exposed. In some cases credit card numbers and other personal identifying information were compromised. The company said in a statement that the new victims were not the result of an additional compromise or foul play, according to the security firm Mandian which Equifax hired to conduct the investigation.

"I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released," interim CEO Paulino do Rego Barros, Jr. said in a release announcing the completion of a forensics analysis by Mandiant. "Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis."

The findings bumped the number of affected U.S. consumers up to 145.5 million but did not reflect any additional or new hacker activity nor did it reveal access to new databases. The analysis showed that the information of only 8,000 Canadians was potentially compromised instead of the 100,000 originally believed to be impacted. Analysis of impact on U.K. citizens has not been completed, the company said.

Equifax said it will send written notices by mail to the additional 2.5 million U.S. citizens and will update the website that consumers use to determine if they were affected by October 8 to reflect the new findings.

“Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables.  Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process,” Equifax said.  

Equifax first learned of the data breach on July 29, which it said was the result of the exploitation of a U.S. website app. However, the fact the company withheld releasing the news to the public and those affected for more than a month, has brought down a great deal of heat on the company resulting in CEO Richard Smith abruptly retiring on September 26. Earlier the company's CISO and CSO retired.

Smith will testify before the House Energy and Commerce Committee today.