News > FinTech

Equifax Reports 2.5 Million More Americans Were Impacted By Security Breach

By NexChange

Equifax has completed its analysis into the major security breach it reported last month, concluding that 2.5 million more Americans were impacted by the hacking than initially estimated.

The credit reporting agency, which had initially reported that 143 consumers had sensitive information compromised by the breach, is now putting the total at 145.5 million. It said in a statement that no databases outside the U.S. were breached.

“I want to apologize again to all impacted consumers,” Paulino do Rego Barros, Jr., interim CEO of Equifax said in the statement. “As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices.  We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”

Richard Smith, the chairman and chief executive of Equifax at the time of the security breach, retired last week from the company. In prepared testimony to the U.S. to the House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection on Tuesday, Smith blamed the failure of the company “to patch a particular vulnerability” in a software program that allowed hackers to access sensitive information.

He notes that the U.S. Department of Homeland Security, Computer Emergency Readiness Team, sent out a notice on March 8 about the necessary patch, which Equifax needed to apply to a program called “Apache Struts. ” This program, Smith said, is the company’s “online disputes portal,” which allows consumers to dispute items on their credit report.

Per Smith’s testimony:

On March 9, Equifax disseminated the U.S. CERT notification internally by email requesting that applicable personnel responsible for an Apache Struts installation upgrade their software. Consistent with Equifax’s patching policy, the Equifax security department required that patching occur within a 48 hour time period. We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.

“Let me say clearly: As CEO I was ultimately responsible for what happened on my watch,” Smith said in his prepared remarks. “Equifax was entrusted with Americans’ private data and we let them down. To each and every person affected by this breach, I am deeply sorry that this occurred.”

Photo: Getty iStock

Subscribe to our Newsletter

Be one of the first to experience the future of financial services