Equifax finds additional 2.4 million impacted by 2017 breach

Cybercriminals exposed millions more people's personal information in the Equifax hack than the company reported last September.

On Thursday, Equifax said the breach surfaced 2.4 million more Americans' names and partial drivers license numbers -- less data than was exposed from the millions of other victims. Attackers were unable to get the state where the license was issued, the date of issuance or its expiration date.

Equifax said it will notify the new victims directly. It will offer identity theft protection and credit file monitoring services at no cost.

The credit monitoring agency previously said hackers accessed personal information of 145.5 million people, including names, Social Security numbers drivers license numbers, and addresses.

Anyone who believes they are a victim has options to protect their identity. On their website, Equifax recommends taking the following steps:

  • You can get free copies of your credit report from the three major credit bureaus at www.annualcreditreport.com. Review your credit reports carefully, and make sure your personal information and accounts are correct.
  • Consider  placing a security freeze or lock on your credit report. You can place a security freeze on your credit reports with the three major credit bureaus, EquifaxExperian, and TransUnion. You can also lock your Equifax credit report using Lock & Alert™, and contact the other two major credit bureaus for information on credit report locks. To learn more about the differences between credit report locks and freezes, visit Lock or Freeze.
  • You can place a fraud alert on your credit reports with the three major credit bureaus.
In addition, if you believe you've been a victim of identity theft, contact your local law enforcement and file a police report. It's also recommended to contact your state attorney general and the Federal Trade Commission.

The latest disclosure is another blow to the Equifax. Since the breach, Equifax's CEO Richard Smith and top security officers resigned. In October, Smith testified in front of Congress and apologized for the breach.

Related: Americans still aren't checking their credit reports

Equifax first disclosed the bombshell hack in September 2017, three months after the company discovered the breach. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.

It is not yet known who is responsible for the hack, but the investigation is ongoing.

It is unclear if the company will face consequences for leaking millions of people's sensitive data that could be used for identity theft.

The company is currently under investigation by multiple states attorneys general and faces a number of civil lawsuits.

In November, three Democratic senators introduced a data breach disclosure bill, called The Data Security and Breach Notification Act, that could introduce consequences for companies who do not responsibly deal with hacks.

The bill would require companies to report data breaches within 30 days. If someone at a business knowingly conceals a data breach, they could face up to five years in prison.

It is still early in the legislative process, so it's unclear if the law will eventually pass.