The 2017 Equifax data breach has expanded again, with the company announcing last week that another 2.4 million U.S. consumers had their information stolen.
The Equifax data breach was first disclosed in September; at that time the credit rating agency said 143 million U.S. consumers had their private information stolen. The data included names, Social Security numbers, birth dates, addresses and in some cases, driver's license numbers. Equifax revised that estimate the following month and said an addition 2.5 million people had their data stolen. The latest development came in a March 1, 2018, announcement that 2.4 million more U.S. consumers had their data stolen.
The additional 2.4 million consumers had their names and partial driver's license information stolen in the Equifax data breach. The information stolen does not include home addresses, the state of issue for the license, the issued date or the expiration dates. These consumers also did not have their Social Security numbers stolen; Equifax claimed that is why this wasn't discovered during the initial investigations.
"The methodology used in the company's forensic examination of last year's cybersecurity incident leveraged Social Security numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack," the company said in its announcement. "This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs. Today's newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver's license information."
The credit rating agency said it "will notify these newly identified U.S. consumers directly" and offer them free credit monitoring and identity theft protection.
Equifax has said the investigations -- both internal and done by security company Mandiant -- that followed the breach in September "uncovered everything." However, this is not the first update since the Equifax data breach investigations supposedly closed.
Just last month, it was confirmed that the scope of the Equifax data breach expanded to include even more types of data such as tax identification numbers, email addresses and driver's license information beyond just the numbers.
This addition -- which did not affect a greater number of consumers -- was not directly disclosed to the public by Equifax even though it was discovered during the initial investigation into the breach. Instead, a document Equifax submitted to the Senate Banking Committee was leaked to The Wall Street Journal, and the flood of reports that followed prompted Equifax to confirm the discovery.
Equifax said the discovery of the 2.4 million newly affected consumers came to light as part of "ongoing analysis" into the breach. However, it's unclear when the discovery was made, and why the discrepancy wasn't observed until now.
SearchSecurity contacted Equifax, but the company declined to comment.