Equifax has revealed that its massive data breach is even larger than originally thought.
On Monday, the credit-reporting agency announced that cyber security firm Mandiant had completed the forensic portion of its investigation into the breach, in which hackers stole the personal information of millions of consumers. When the breach was announced Sept. 7, Equifax estimated that 143 million consumers were affected by the breach. However, the review determined that about 2.5 million additional consumers were “potentially impacted” – for a total of 145.5 million.
The additional 2.5 million seem to be the work of the same hacker or hackers.
“Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables,” Equifax said Monday. “Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.”
Equifax said it would mail written notices to all potentially impacted US consumers identified since the breach was announced.
“I want to apologize again to all impacted consumers,” said interim CEO Paulino do Rego Barros Jr., who took over after CEO Richard Smith departed in the wake of the breach. “As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cyber security practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”