2.5 million more Americans may be affected by Equifax breach
Equifax also faces several inquiries and class-action lawsuits.
Credit report company Equifax said on Monday that 2.5 million more Americans may have been affected by the massive security breach of its systems, bringing the total to 145.5 million people.
Equifax said the company it hired to investigate the breach, Mandiant, has concluded its investigation and plans to release the results "promptly." The company also said it would update its own notification for people who want to check if they were among those affected by October 8.
The information stolen included names, Social Security numbers, birth dates and addresses, the kind of information that could put people at risk for identity theft.
While Equifax previously said up to 100,000 Canadian citizens may have been affected, it said Monday that the completed review did not bear that out and it determined that the information of about 8,000 Canadian consumers was involved.
The update comes as Equifax's former CEO, Richard Smith, who announced his retirement last month, will testify in front of Congress starting on Tuesday. He's expected to face bipartisan anger from politicians who have expressed outrage that a company tasked with securing vast amounts of personal data was unable to keep their security software up to date.
In prepared testimony, he apologised and said human error and technology failures allowed the data breach.
In March, the US Homeland Security Department alerted Equifax to an online gap in security but the company did nothing, said Smith.
"The vulnerability remained in an Equifax web application much longer than it should have," Smith said in remarks prepared for delivery on Tuesday. "I am here today to apologise to the American people myself."
Equifax also faces several state and federal inquiries and class-action lawsuits.
Smith's replacement, Paulino do Rego Barros Jr, has also apologised for the hack and said the company will help customers freeze their credit records and monitor any misuse.
There has been a public outcry about the breech but no more than 3.0 per cent of consumers have frozen their credit reports, according to research firm Gartner.
Smith said hackers tapped sensitive information between mid-May and late-July.
Security personnel noticed suspicious activity on July 29 and disabled web application a day later, ending the hacking, Smith said. He said he was alerted the following day, but was not aware of the scope of the stolen data.
On August 2, the company alerted the FBI and retained a law firm and consulting firm to provide advice. Smith notified the board's lead director on August 22.