Equifax has once again bumped up the estimated number of U.S. consumers affected by its massive breach – now saying that data on 147.9 million was somehow exposed.
The company's interim CEO Paulino do Rego Barros, Jr. said the revelation “is not about newly discovered stolen data” but rather is “about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
Barros said the company was taking "broad measures to identify, inform, and protect consumers" impacted by the attack and was "committed to regaining the trust of consumers, improving transparency, and enhancing security" across the Equifax network.
Lawmakers expressed frustration with the company's lag in providing details and accurate numbers, first reporting that 143 million Americans had been affected, then increasing that number to 145.5 million.
“I spent five months investigating the Equifax breach and found the company failed to disclose the full extent of the hack,” Sen. Elizabeth Warren, D-Mass., tweeted Thursday, noting that Equifax “can't be trusted. Their mistakes allowed the breach to happen, their response has been a failure, and they still can't level with the public. Enough is enough. We have to start holding the credit reporting industry accountable.”
But Mounir Hahad, head of threat research at Juniper Networks, contended that "breach investigations can be very lengthy and it is not uncommon to disclose additional findings over a period of time. For example, some companies may soon be required to issue a public notification of data breaches within three days of a cyber incident, but in some complicated cases the actual findings may continue to be identified for months."
The company said partial driver's license numbers were nicked from the 2.4 million additional consumers affected, but “found no evidence that any passport numbers were stolen.”Warren urged the Senate to pass a bill she penned with Sen. Mark Warner, D-Va., “that would impose massive, mandatory penalties when companies like @Equifax expose millions of Americans' personal information.”
“The seemingly ever-growing extent of the Equifax breach should serve as a reminder that companies cannot afford to be complacent in the face of cyberthreats," said Bomgar CEO Matt Dircks. "In the majority of breaches, attackers use a stolen or weak password to gain a foothold into the network. It's critical that all credentials to privileged accounts be secured via multi-factor authentication and strong password management policies, including frequent rotation of privileged credentials."