Equifax finds its big data breach hit an additional 2.4 million people

Roughly 147.9 million Americans have been affected by Equifax's data breach.
Roughly 147.9 million Americans have been affected by Equifax’s data breach.
(Justin Lane / EPA / Shutterstock)

Equifax Inc. said Thursday that an additional 2.4 million Americans were affected by last year’s data breach, although not as much personal information was stolen from them.

The credit reporting company said the attackers stole only the names and partial driver’s license numbers of these additional people, unlike the previously disclosed 145.5 million Americans whose Social Security numbers were obtained. Attackers were unable to get the state where the licenses were issued, the date of issuance or expiration dates, Equifax said.

In total, roughly 147.9 million Americans have been affected by Equifax’s data breach. It remains the largest known data breach of personal information in history.


The company says it was able to find the additional 2.4 million Americans by cross-referencing names with partial driver’s license numbers using internal and external data sources. These Americans were not found in the original breach because Equifax had focused its investigation on those with Social Security numbers affected. People whose Social Security numbers have been stolen are generally more at risk for identity theft because of how much Social Security numbers are used in identity verification.

Equifax said it will reach out to the 2.4 million people and will provide the same credit monitoring and identity theft protection services it has been offering to the originally disclosed victims.

In October, Equifax was dragged to Capitol Hill to answer for its missteps, with former Chief Executive Richard Smith — who by then had resigned in light of the crisis — accepting responsibility for the data breach.

Last month, an investigation by Sen. Elizabeth Warren (D-Mass.) found that the company failed to keep its computer systems adequately up to date and was not forthcoming enough about its description of the damage.

“I spent five months investigating the Equifax breach and found the company failed to disclose the full extent of the hack,” Warren said in a statement Thursday. “Enough is enough. We have to start holding the credit reporting industry accountable.”

The Republican leader of the House Energy and Commerce Committee, Rep. Greg Walden of Oregon, said Thursday that despite “repeated” requests for documents from Equifax as a part of the committee’s investigation, Equifax has provided only partial responses.


“We now are requesting a briefing with Mandiant, the third-party company responsible for investigating the breach,” said Walden and Rep. Bob Latta (R-Ohio), who leads a subcommittee on digital commerce and consumer protection. “The American people deserve to know what went wrong, and our investigation will continue in full force until there are answers.”

The Washington Post was used in compiling this report.


1:45 p.m.: This article was updated with background information and with comments from lawmakers.

This article was originally published at 7 a.m.