SAN FRANCISCO — Equifax said hackers may have stolen the personal information of 2.5 million more U.S. consumers than it initially estimated, bringing the total to 145.5 million.
The company said the additional customers were not victims of a new attack but rather victims who the company had not counted before. Equifax hired the forensic security firm Mandiant to investigate the breach, and it finished its report on Sunday. >
News of the new victims comes on the eve of congressional testimony to be given by Equifax’s former CEO Richard Smith, who will address a House subcommittee on Tuesday. He was forced into retirement last week in the wake of the attack.
In prepared remarks posted Monday, Smith said the hack was possible because someone in Equifax's security department didn’t patch a flaw the company had been alerted to by the U.S. Computer Emergency Readiness Team.
A scan performed later to check that the patch had been implemented failed to detect that it hadn’t, Smith said. He gave no reason why the company's workers failed to install the so-called Apache Struts upgrade.
The company has been dogged by criticism of its response to the breach. The website and call centers it established to serve customers faltered. Many consumers faced error messages on the website and couldn't reach anyone at Equifax by phone.
Equifax said the feature on its website that allows U.S. consumers to check if their information was stolen will be updated to add the newly-listed consumers no later than October 8.>
The news for those outside of the United States was better. Mandiant was able to confirm that no Equifax databases located outside of the United States were accessed by the attackers.
In addition, Equifax had originally believed that as many as 100,000 Canadians were affected by the breach. However, the Mandiant review found that only about 8,000 were.