Under-fire credit agency Equifax has revealed that millions more customers were affected by a major data breach last year.
The firm claimed in a post yesterday that ongoing analysis had confirmed an additional 2.4 million US consumers had their names and partial driver’s license information stolen.
“This information was partial because, in the vast majority of cases, it did not include consumers' home addresses, or their respective driver's license states, dates of issuance, or expiration dates,” the firm said.
The new revelations bring the total number of US consumers affected to just shy of 148 million, with hundreds of thousands of British and Canadian customers also hit.
Equifax claimed the reason it had not recorded the stolen data until now is because its forensic investigators had focused on Social Security Numbers (SSNs).
“Today's newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver's license information,” it said.
The news will be seen on Capitol Hill as yet another example of the firm’s incompetence. In January, senators proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach, as they believe Equifax has not received ample punishment for the highly preventable security mistakes that led to its compromise.
However, Mounir Hahad, head of threat research at Juniper Networks, argued that it’s not uncommon for firms to find additional victims during breach investigations.
“For example, some companies may soon be required to issue a public notification of data breaches within three days of a cyber-incident, but in some complicated cases the actual findings may continue to be identified for months,” he said.
“Regardless of whether or not your information is confirmed to be affected, everyone should follow the best practices shared at the time of the incident, such as freezing access to credit reports and putting a credit monitoring service in place."