Equifax forensic investigation finds huge breach impacts 2.5m people than previously thought as wait for UK analysis continues
Credit monitoring firm Equifax has admitted that the huge data breach it suffered earlier this year impacts more customers than was previously thought.
A forensic investigation carried about by cybersecurity firm Mandiant could not find any evidence of new attacks or attacker activity but did discover that 2.5 million additional people were implicated.
This brings the total number up to 145.5 million – or half the population of the USA.
The UK investigation has also been completed, but no details were released as the information is still being analysed.
Last month, Equifax said 400,000 UK consumers were affected, even though the firm’s British systems were not hacked. Instead, a “process error” meant some British data was stored in the US.
Equifax said it was unlikely that the breach would lead to identify theft, but it would be offering support and identity protection services to any UK resident affected. The company said it is working with the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO).
The forensic investigation has confirmed that none of Equifax’s databases outside the US were breached, with the company previously attributing the hack to a web server vulnerability.
The catastrophic incident took place between mid-May and July of this year and has seen former CEO Richard Smith quit his job, following the departures of the firm’s CIO and CSO, and the company lose more than a quarter of its value.
Equifax was criticised for its confusing response to the hack and for waiting a month before informing clients. A class action lawsuit has been filed accusing it of negligence, while the US Senate committee on banking, housing and urban affairs is set to hold a hearing on the matter on 4 October and Smith is still scheduled to testify before it.
Several top executives allegedly sold shares worth $1.7 million (£1.3m) a few days before the hack was announced, something also reportedly being investigated by federal authorities.
“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” said newly appointed interim CEO, Paulino do Rego Barros, Jr.
“Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.
“I want to apologise again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”
Do you know all about security in 2017? Try our quiz!