Advertisement
  1. Business

Equifax says 2.5 million more Americans may be affected by hack

Equifax is now saying an additional 2.5 million Americans may have been affected by a massive security breach this summer, bringing the total to 145.5 million people. Equifax said the company it hired to do an examination of the breach, Mandiant, has concluded its investigation and plans to release the results "promptly."  [Associated Press]
Equifax is now saying an additional 2.5 million Americans may have been affected by a massive security breach this summer, bringing the total to 145.5 million people. Equifax said the company it hired to do an examination of the breach, Mandiant, has concluded its investigation and plans to release the results "promptly." [Associated Press]
Published Oct. 3, 2017

NEW YORK — Credit report company Equifax said Monday that an additional 2.5 million Americans may have been affected by the massive security breach of its systems, bringing the total to 145.5 million people who had their personal information accessed or stolen.

Equifax said the company it hired to investigate the breach, Mandiant, has concluded its investigation and plans to release the results "promptly." The company also said it would update its own notification for people who want to check if they were among those affected by Oct. 8.

The information stolen earlier this year included names, Social Security numbers, birth dates and addresses — the kind of information that could put people at significant risk for identity theft.

While Equifax previously said up to 100,000 Canadian citizens may have been affected, it said Monday that the completed review did not bear that out and it determined that the information of only about 8,000 Canadian consumers was involved.

The update comes as Equifax's former CEO, Richard Smith, who announced his retirement last month, will testify in front of Congress starting Tuesday. He's expected to face bipartisan anger from politicians who have expressed outrage that a company tasked with securing vast amounts of personal data was unable to keep their security software up to date.

In prepared testimony, he apologized and said human error and technology failures allowed the data breach. He also apologized for the way the company handled the announcement of what happened.

"To each and every person affected by this breach, I am deeply sorry that this occurred," Smith said in his prepared remarks. "Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize. The company failed to prevent sensitive information from falling into the hands of wrongdoers."

Smith, who resigned after overseeing the company for a dozen years, says Equifax was hacked by a yet-unknown entity. He said the information stolen included names, Social Security numbers, birth dates and addresses. In addition, the credit card information for about 209,000 consumers was also stolen as well as certain documents with personally identifying information for approximately 182,000 consumers.

Lawmakers are expected to question Smith on how the company allowed the breach to occur, why it took as long as it did to notify consumers and what's it's doing to help consumers protect themselves going forward. The House subcommittee holding the hearing has jurisdiction over e-commerce and consumer protection issues.

Smith said the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software used by Equifax and other business. The company disseminated that warning by email the next day and requested that applicable personnel install the upgrade. The company's policy requires the upgrade to occur within 48 hours, but Smith said that did not occur. The company's information security department also ran scans on March 15 that did not pick up the vulnerability.

Follow trends affecting the local economy

Follow trends affecting the local economy

Subscribe to our free Business by the Bay newsletter

We’ll break down the latest business and consumer news and insights you need to know every Wednesday.

You’re all signed up!

Want more of our free, weekly newsletters in your inbox? Let’s get started.

Explore all your options

"I understand that Equifax's investigation into these issues is ongoing," Smith said in the prepared remarks. "The company knows, however, that it was this unpatched vulnerability that allowed hackers to access personal identifying information."

Smith said it appears the first date the hackers accessed sensitive information was May 13. Between May 13 and July 30, there is evidence to suggest the attackers continued to access sensitive information, but it wasn't until July 29 that Equifax's security department observed suspicious network traffic. Smith said the hack was over the next day, but the hard work of figure out the impact was just beginning.

Smith said he was told of the suspicious activity on July 31 in a conversation with the company's chief information officer. He then provided a timeline of events that included a senior leadership team meeting on August 17 where he learned the forensic investigation has determined large volumes of consumer data had been compromised. He said the lead member of the company's board of directors was notified on August 22 and the full board two days later. He convened a board meeting to discuss the scale of the breach on Sept. 1.

Meanwhile, the company worked on a support package for consumers and then notified the public on Sept. 7.

Smith also said he was disappointed in the rollout of call centers and a website designed to help the people affected by the breach. He said the company has increased its number of customer service representatives and the website has been improved.

"Still, the rollout of these resources should have been far better, and I regret that the response exacerbated rather than alleviated matters for so many," Smith said in the prepared testimony.

Equifax also faces several state and federal inquiries and numerous class-action lawsuits. At least one state, Massachusetts, and the cities of San Francisco and Chicago have sued Equifax as well.

Advertisement

This site no longer supports your current browser. Please use a modern and up-to-date browser version for the best experience.

Chrome Firefox Safari Edge