Equifax on Thursday disclosed that 2.4 million additional customers had information stolen in a 2017 cyber attack. The company said it overlooked the victims in prior forensic analysis of the incident.
The credit rating agency Equifax said on Thursday that it has identified 2.5 million additional victims of a months long hack it first disclosed in September, 2017.
In a filing with the U.S. Securities and Exchange Commission (SEC), Equifax said that an “ongoing analysis” of data stolen last year confirmed the identities of 2.4 million additional U.S. consumers who had their name and partial driver’s license information stolen. Equifax had earlier admitted that more than 140 million people had information exposed to hackers.
The company said it would notify the newly identified U.S. consumers and provide them with identity theft protection and credit file monitoring services.
According to Equifax, the oversight was a byproduct of the forensic examination of the 2017 incident. Victims in the initial examination were identified by Social Security Number as well name. Driver’s license number was not used as an identifier, Equifax acknowledged.
That method unwittingly omitted consumers whose Social Security Number was not stolen together with their partial drivers license information, the company said.
Most of those affected had only partial drivers license information exposed, not addresses, date of issuance or expiration or the name of the state that issued the license, Equifax said.
Still, the admission is just the latest in a string of embarrassments for the Atlanta-based firm, which is one of the “big three” credit bureaus that track consumer and business credit ratings. The breach has already cost the company close to $90 million in direct and indirect costs and spawned a number of consumer, class action lawsuits and Congressional hearings. A number of senior executives were forced to leave the company or retire early.
You might also want to read “IoT Security’s Known Unknowns | Network World”]
Additionally, the company came under scrutiny for patterns of suspicious stock sales by senior executives prior to disclosure of the breach. (An subsequent internal investigation found no impropriety in the stock sales.) Balky customer support efforts in the wake of the incident also earned the company criticism.
Last week, the U.S. Securities and Exchange Commission announced sweeping new interpretation of previous guidance on disclosing cyber security incidents that explicitly discouraged trading in company stock by insiders in the context of a data breach. The SEC guidance also made it clear the SEC expects clear and expedient reporting of cyber security incidents. Ongoing investigations into such incidents should not exempt organizations from having to disclose material security incidents, the SEC said.