Equifax breach affected millions more consumers than previously announced

The newly-identified consumers bring the total number of people affected by the hack to approximately 148 million.

CREDIT: Jaap Arriens/NurPhoto via Getty Images
CREDIT: Jaap Arriens/NurPhoto via Getty Images

Equifax announced this week that a widespread hack last year may have affected millions more people than originally thought. The news comes less than one month after the credit monitoring firm revealed hackers may have targeted consumers’ email addresses, tax identification numbers, and driver’s license information, in addition to the information previously identified as stolen last year.

“Equifax was able to identify approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident,” the company wrote in a press release on Thursday. “This information was partial because, in the vast majority of cases, it did not include consumers’ home addresses, or their respective driver’s license states, dates of issuance, or expiration dates.”

Equifax stated that the customers had been identified after a forensic examination of the initial breach, which targeted Social Security numbers, dates of birth, and addresses, and likely occurred between mid-May and July 2017. The breach was first discovered on July 29, but the company did not announce the discovery until September last year.


“This is not about newly discovered stolen data,” interim CEO Paulino do Rego Barros, Jr. said on Thursday. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

The update brings the total number of consumers affected by the Equifax breach to approximately 148 million.

Equifax has been heavily criticized for its mishandling of the data breach. In addition to waiting weeks before announcing the hack, several top executives within the company — including CFO John Gamble — sold off hundreds of thousands of dollars’ worth of stock on August 1 and 2, shortly after the breach was discovered, earning a combined $1,780,000. Gamble alone made $946,374 from the sale, while Joseph Loughran, president of U.S. information solutions, and Rodolfo Ploder, president of workforce solutions, made $584,099 and $250,458, respectively.

As ThinkProgress previously reported, the Securities Exchange Commission (SEC) later confirmed that the sales were not pre-planned. An Equifax spokeswoman claimed at the time that the three had sold “a small percentage of their Equifax shares” and “had no knowledge that an intrusion had occurred at the time.”

Additionally, in conjunction with its initial announcement, Equifax announced in September that it had set up a website,, for consumers to check if they had been affected by the data breach. However, on several occasions in the weeks that followed, the company’s official Twitter account accidentally directed consumers to “,” a fake phishing site created by software engineer Nick Sweeting to educate consumers on the gaffe.


“I hope other companies are able to learn from this mistake, and remember to publish content only on trusted domains,” Sweeting, who lives in Medellín, Colombia, told NPR at the time, calling the Equifax site “dangerously easy to impersonate.”

In October, a little more than one month after the Equifax breach was announced, Senate Republicans voted to give broad lawsuit immunity to credit reporting companies like Equifax, as well as credit card companies and other financial firms. The resolution, which was rejected by all Senate Democrats and Republican Sens. Lindsey Graham (R-SC) and John Kennedy (R-LA), overturns a rule implemented by the Consumer Financial Protection Bureau (CFPB) that would have barred companies from employing “forced arbitration” clauses in their contracts, which require consumers to sign away their right to sue the company later on, forcing them to resolve any disputes using a private mediation system.

The rule, which was set to take effect in 2019, also prohibited companies from forcing consumers to sign away their right to participate in any class-action lawsuits against the business.

In November, Equifax was slapped with a national class-action lawsuit, represents plaintiffs from all 50 states and the District of Columbia, who say their information already has been used to open credit cards, mortgages, and take out student loans.