Equifax finds additional 2.4 million impacted by 2017 breach

Loading Video…

This browser does not support the Video element.

Equifax latest

Equifax latest



Cybercriminals exposed millions more people's personal information in the Equifax hack than the company reported last September.

On Thursday, Equifax said the breach surfaced 2.4 million more Americans' names and partial drivers license numbers -- less data than was exposed from the millions of other victims. Attackers were unable to get the state where the license was issued, the date of issuance or its expiration date.

Equifax said it will notify the new victims directly. It will offer identity theft protection and credit file monitoring services at no cost.

The credit monitoring agency previously said hackers accessed personal information of 145.5 million people, including names, Social Security numbers drivers license numbers, and addresses.

Anyone who believes they are a victim has options to protect their identity. On their website, Equifax recommends taking the following steps:



In addition, if you believe you've been a victim of identity theft, contact your local law enforcement and file a police report. It's also recommended to contact your state attorney general and the Federal Trade Commission.
The latest disclosure is another blow to the Equifax. Since the breach, Equifax's CEO Richard Smith and top security officers resigned. In October, Smith testified in front of Congress and apologized for the breach.

Related: Americans still aren't checking their credit reports

Equifax first disclosed the bombshell hack in September 2017, three months after the company discovered the breach. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.

It is not yet known who is responsible for the hack, but the investigation is ongoing.

It is unclear if the company will face consequences for leaking millions of people's sensitive data that could be used for identity theft.

The company is currently under investigation by multiple states attorneys general and faces a number of civil lawsuits.

In November, three Democratic senators introduced a data breach disclosure bill, called The Data Security and Breach Notification Act, that could introduce consequences for companies who do not responsibly deal with hacks.

The bill would require companies to report data breaches within 30 days. If someone at a business knowingly conceals a data breach, they could face up to five years in prison.

It is still early in the legislative process, so it's unclear if the law will eventually pass.