Cybercriminals exposed millions more people’s personal information in the Equifax hack than the company reported last September.
On Thursday, Equifax said the breach surfaced 2.4 million more Americans’ names and drivers license numbers — less data than was exposed from the millions of other victims.
Equifax said it will notify the new victims directly. It will offer identity theft protection and credit file monitoring services at no cost.
The credit monitoring agency previously said hackers accessed personal information of 145.5 million people, including names, Social Security numbers drivers license numbers and addresses.
The latest disclosure is another blow to the Equifax. Since the breach, Equifax’s CEO Richard Smith and top security officers resigned. In October, Smith testified in front of Congress and apologized for the breach.
Equifax first disclosed the bombshell hack in September 2017, three months after the company discovered the breach. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
In October, the company said the breach affected 2.5 million more people than it initially stated. With Thursday’s announcement, the total now comes to around 148 million.
It is not yet known who is responsible for the hack, but the investigation is ongoing.
It is unclear if the company will face consequences for leaking millions of people’s sensitive data that could be used for identity theft.
The company is currently under investigation by multiple states attorneys general and faces a number of civil lawsuits.
In November, three Democratic senators introduced a data breach disclosure bill, called The Data Security and Breach Notification Act, that could introduce consequences for companies who do not responsibly deal with hacks.
The bill would require companies to report data breaches within 30 days. If someone at a business knowingly conceals a data breach, they could face up to five years in prison.
It is still early in the legislative process, so it’s unclear if the law will eventually pass.