NEW YORK (CBSNewYork/AP) – Credit report company Equifax said Monday that an additional 2.5 million Americans may have been affected by the massive security breach of its systems, bringing the total to 145.5 million people who had their personal information accessed or stolen.
Equifax said the company it hired to investigate the breach, Mandiant, has concluded its investigation and plans to release the results “promptly.” The company also said it would update its own notification for people who want to check if they were among those affected by Oct. 8.
The information stolen earlier this year included names, Social Security numbers, birth dates and addresses — the kind of information that could put people at significant risk for identity theft.
While Equifax previously said up to 100,000 Canadian citizens may have been affected, it said Monday that the completed review did not bear that out and it determined that the information of only about 8,000 Canadian consumers was involved.
The news follows the security firm’s bungling of promoting a consumer help website, EquifaxSecurity2017.com, where people could check to see if their personal information had been stolen.
On its Twitter account, Equifax initially directed consumers to “SecurityEquifax2017.com,” a fake site created by an outside software engineer. The phishing site got about 200,000 hits before browsers had it blacklisted and the creator took it down.
The update on the number of affected consumers comes as Equifax’s former CEO, Richard Smith, who announced his retirement last month, testified in front of Congress starting Tuesday. He was expected to face bipartisan anger from politicians who have expressed outrage that a company tasked with securing vast amounts of personal data was unable to keep their security software up to date.
“We know now that this criminal act was made possible because a combination of human error and technological error,” Smith testified.
The Department of Homeland Security notified Equifax in March about vulnerable software, and the company failed to protect consumers, CBS News’ Weijia Jiang reported.
“How does this happen when so much is at stake? I don’t think we can pass a law that – excuse me for saying this – but fixes stupid,” Rep. Greg Walden, R-OR, said.
Lawmakers not only expressed outrage about the breach, but how the consumer credit reporting agency responded.
“Slow roll out and how poor it was done, to me is just inexcusable,” Rep. Ryan Costello, R-PA, said.
In addition to the fake link on Twitter, the company’s free credit freezing service included an arbitration clause.
“I think it was within 24 hours we removed that and tried to clarify that,” Smith said. “It was a mistake.”
“A constituent pointed out to me it would be wrong to call the victims of this breach Equifax customers, and he asks why he’s been impacted in this manner,” Congressman Paul Tonko, R-NY, said.
“I apologize to the individual who wrote you that letter. I apologize to American for what happened,” Smith replied. “We’re going to try to make it right.”
Smith told lawmakers that data security is a national security problem that will require Congress and private companies to work together on a solution.
“To each and every person affected by this breach, I am deeply sorry that this occurred,” Smith said in his prepared remarks. “Whether your personal identifying information was compromised, or you have had to deal with the uncertainty of determining whether or not your personal data may have been compromised, I sincerely apologize. The company failed to prevent sensitive information from falling into the hands of wrongdoers.”
Equifax also faces several state and federal inquiries and numerous class-action lawsuits. At least one state, Massachusetts, and the cities of San Francisco and Chicago have sued Equifax as well.
(© Copyright 2017 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)