USA TODAY US Edition

Equifax breach hit 2.5M more Americans than thought

Total rises to 145.5M as former CEO prepares to address Congress

Equifax said hackers may have stolen the personal informatio­n of 2.5 million more U.S. consumers than it initially estimated, bringing the total to 145.5 million.

The company said the additional customers were not victims of a new attack but rather victims who the company had not counted before.

Equifax hired forensic security firm Mandiant to investigat­e the breach, and it finished its report Sunday.

News of the new victims comes on the eve of congressio­nal testimony to be given by Equifax’s former CEO Richard Smith, who will address a House subcommitt­ee Tuesday. He was forced into retirement last week in the wake of the attack.

In prepared remarks posted Monday, Smith said the hack was possible because someone in Equifax’s security department didn’t patch a flaw the company had been alerted to by the U.S. Computer Emergency Readiness Team. A scan performed later to check that the patch had been implemente­d failed to detect that it hadn’t, Smith said. He gave no reason why the company’s workers failed to install the so-called Apache Struts upgrade.

The company has been dogged by criticism of its response to the breach. The website and call centers it establishe­d to serve customers faltered. Many consumers faced error messages on the website and couldn’t reach anyone at Equifax by phone.

Equifax said the feature on its website that allows U.S. consumers to check if their informatio­n was stolen will be updated to add the newly-listed consumers no later than Oct. 8.

The news for those outside of the United States was better. Mandiant was able to confirm that no Equifax databases located outside of the United States were accessed by the attackers.

In addition, Equifax had originally believed that as many as 100,000 Canadians were affected by the breach. However, the Mandiant review found that only about 8,000 were.