Equifax: An additional 2.5M Americans affected by breach
Credit rating agency Equifax was hit by the mother of all hacks. As many as 143 million consumers -- mostly Americans, but some UK and Canadian residents -- were affected by a data breach involving highly sensitive and personal information. Not to be outdone, the company fumbled its incident response and remediation effort. Its support website looked like a phishing site, Its data breach checking tool didn't work, and the company was forced to pull a clause from its site that effectively prevented aggrieved customers from suing the company.
Equifax says an additional 2.5 million Americans were impacted by the massive data breach it disclosed last month, bringing the total up from 143 million to 145.5 million.
Additionally, the credit rating and reporting firm reports that 8,000 Canadian consumers were impacted. Initially, Equifax said as many as 100,000 Canadian citizens may have been impacted by the breach, but the company said Monday that this number "was preliminary and did not materialize."
The new figures come from a finalized forensic investigation conducted by the cybersecurity firm Madiant.
"Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables," Equifax said in a release. "Instead, this additional population of consumers was confirmed during Mandiant's completion of the remaining investigative tasks and quality assurance procedures built into the investigative process."
Mandiant also said there's no evidence the attackers accessed databases outside of the US.
Equifax previously reported that, in addition to the American and Canadian consumers impacted, around 400,000 UK consumers may have been affected as well. The forensic investigation related to UK consumers has been completed, the company said today. However, the results are still being analyzed, and Equifax is still engaged in "discussions with regulators in the United Kingdom regarding the scope of the company's consumer notifications."
Equifax has taken serious criticism for botching its response to the data breach. In its Monday update, the company said it will mail written notices to all of the new potentially impacted Americans. The feature on its website that helps US consumers determine whether they were impacted will be updated to reflect the additional potentially impacted consumers no later than October 8.
"I want to apologize again to all impacted consumers," the new interim CEO, Paulino do Rego Barros, Jr., said in a statement. "As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements."
Barros took over as CEO last week, after Equifax chairman and chief executive Richard Smith stepped down.