Extra 2.5 Million Americans Affected by Equifax Breach

Equifax has revised upwards the number of Americans affected by a massive data breach at the firm last month to 145.5 million, although data is still being analyzed relating to UK customers.

The credit agency’s update on Monday claimed that Mandiant has now finished the forensic part of the investigation into an incident which compromised highly sensitive user information including Social Security numbers, dates of birth, names, addresses and much more.

Although the update added 2.5 million extra affected US customers, it appears as if initial estimates that 100,000 Canadians were also impacted were a mistake.

Just 8000 Canadians were affected by the massive breach, although some of the small proportion who had their credit card details stolen were from north of the border, Equifax confirmed.

The firm had this to say about those in the UK:

“The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications as the analysis of the completed forensic investigation is completed.”

Details of former Equifax CEO Richard Smith’s forthcoming appearance before a congressional committee today have also emerged.

Written testimony seen by reporters has him blame the incident on “human error and technology failures”, and admit that “mistakes were made” in terms of incident response.

It also confirms that the firm failed to patch an Apache Struts vulnerability when it should have, allowing hackers to exploit the flaw to access its network.

“Equifax’s efforts undertaken in March 2017 did not identify any versions of Apache Struts that were subject to this vulnerability, and the vulnerability remained in an Equifax web application much longer than it should have,” notes Smith.

He also gives a rather bemusing excuse for not notifying affected consumers for six weeks, claiming that doing so “would provoke ‘copycat attempts’ and other criminal activity.”

What’s Hot on Infosecurity Magazine?