Equifax hack affected 2.5M more Americans than first believed

Equifax says cyber attack may have hit 2.5 million more U.S. consumers

Speaking Monday in a prepared statement, Smith said the hackers were able to access the company's servers thanks to a flaw in its network, which the security department failed to fix - despite warnings from the US Computer Emergency Readiness Team.

Equifax Inc (EFX.N) was alerted in March to the software security vulnerability that led to hackers obtaining personal information of more than 140 million Americans but took months to patch it, its former CEO said in testimony to be delivered to Congress on Tuesday.

That action included retaining a third-party cybersecurity group to investigate the breach and contacting the Federal Bureau of Investigation.

Mandiant's digital forensic investigation concluded about four weeks after it launched.

Former Equifax CEO Richard Smith, in a witness statement released prior to scheduled Congressional testimony on Tuesday, apologized to consumers for the recent hack that exposed up to 143 million consumers to identity crimes, calling the incident "our worst fears...come true".

The timeline laid out by Smith didn't satisfy many lawmakers, who accused the company of being too slow. The credit-reporting agency has also promised to directly notify these additional victims via postal mail notices. His total compensation was about $2.8 million past year.

Smith is set to appear Tuesday before a House subcommittee, where he's expected to face a bipartisan grilling over the fiasco.

Swift public criticism followed around Equifax's security posture, its handling of the breach and the exposure of the sensitive customer data. Equifax used Struts as part of its website.

The agency said to minimize confusion, it plans to mail written notices to all of the additional potentially impacted US consumers found in the investigation. What's more, the terms of service online tool meant to let consumers find out if they were affected contained a mandatory arbitration clause that could have blocked consumers from joining class actions against Equifax, which Smith said was unintentional.

The company has also said that 182,000 USA individuals' personal details were exposed via breached credit dispute documents. A number of lawsuits have been filed against the company for allegedly mishandling people's data.

Equifax Inc is a global provider of information solutions and human resources business process outsourcing services for businesses, governments and consumers. On Monday, Equifax announced Mandiant completed its forensic investigation and revised the number of people impacted by the hack.

"We were disappointed with the rollout of our website and call centers, which in many cases added to the frustration of American consumers".

Regulators in Britain and Canada have said they are probing the breach.

While company protocol requires that Equifax patch up the software glitch within 48 hours, Smith said he now knows that software vulnerability was "not identified or patched".

The FBI has launched a criminal investigation into the Equifax breach.

Federal agencies, state officials and members of Congress are now probing Equifax over its data security practices, customer service response and the possibility of insider trading from executives. At least one state, Massachusetts, and the cities of San Francisco and Chicago have sued Equifax as well.

Related News: