In a press announcement released Monday night, Equifax Inc. (NYSE: EFX) said that further investigation of the data breach first reported on September 7 has added another 2.5 million Americans to the number of consumers whose personally identifiable records were stolen from the company. A new total of 145.5 million Americans “were potentially impacted” according to Equifax.
Mandiant, a subsidiary of cybersecurity firm FireEye Inc. (NASDAQ: FEYE), concluded its forensic analysis on Sunday and Equifax interim CEO Paulino do Rego Barros, Jr., ordered that the results “be promptly released.”
The announcement included a modification of Equifax’s earlier statement that up to 100,000 Canadian consumers had been affected by the breach. The company said that the final review revealed that about 8,000 Canadians may have had their personal information stolen.
I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.
The company also said it will mail written notices to all potentially affected U.S. consumers who the company has been able to identify since the September 7 announcement. Equifax will also update its online website to include the additional consumers’ names by October 8.
In testimony scheduled to be presented to a U.S. House committee later Tuesday, former Equifax CEO Richard A. Smith outlined his version of Equifax’s actions since the company was first notified on March 8 of a need to patch a software program the company used on its consumer dispute website.
In his testimony, Smith says that Equifax discovered in late July that the first data breach occurred on May 13 and that between that date and July 30, “there is evidence to suggest that the attacker(s) continued to access sensitive information …. During that time, Equifax’s security tools did not detect this illegal access.”
The breach, Smith says, “occurred because of both human error and technology failures.”