The affected people's compromised information involves partial driver's license data. It does not include Social Security numbers, which was the focus of earlier analyses of the breach and the reason this group of consumers was not identified sooner, according to the credit reporting company.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros Jr., Equifax's interim chief executive. “It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
This is not the first time Equifax has expanded its estimate of the breach's impact, which initially was put at 143 million consumers. In October, the company raised its estimate by 2.5 million, to 145.5 million. The company was dragged to Capitol Hill to answer for its missteps, with former chief executive Richard Smith — who by then had resigned in light of the crisis — accepting responsibility for the breach.
Last month, a probe by Sen. Elizabeth Warren (D-Mass.) said the company failed to keep its computer systems adequately up to date and was not forthcoming enough about its description of the damage.
“I spent five months investigating the Equifax breach and found the company failed to disclose the full extent of the hack,” Warren said in a statement Thursday. “Enough is enough. We have to start holding the credit reporting industry accountable.”
Warren's investigation suggested that consumers' passport numbers had been stolen, but Equifax denies the claim.
“We can confirm that passport numbers were an element we examined while conducting the forensic investigation,” the company said, “and we found no evidence that any passport numbers were stolen.”
The chairman of the House Energy and Commerce Committee, Rep. Greg Walden (R-Ore.), said Thursday that despite "repeated" requests for documents from Equifax as a part of the committee's own probe, the credit agency has provided only partial responses.
“We now are requesting a briefing with Mandiant, the third-party company responsible for investigating the breach,” said Walden and Rep. Robert E. Latta (R-Ohio), who leads a subcommittee on digital commerce and consumer protection. “The American people deserve to know what went wrong, and our investigation will continue in full force until there are answers.”
Equifax said Thursday that it will extend offers of free credit monitoring to those who are in the new batch of affected consumers.