Equifax Inc. (NYSE: EFX) announced today that the cybersecurity firm Mandiant has completed the forensic portion of its investigation of the cybersecurity incident disclosed on September 7 to finalize the consumers potentially impacted.
“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” newly appointed interim CEO, Paulino do Rego Barros, Jr. said. “Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.”
In the Sept. 7 announcement advising the public of the cybersecurity incident, Equifax said, “While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.” Mandiant, the cybersecurity firm retained by Equifax to investigate the breach, advised the company Sunday that it has completed its forensic analysis of the consumers potentially impacted by the incident.
The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.
The completed review also has concluded that there is no evidence the attackers accessed databases located outside of the United States.
With respect to potentially impacted Canadian citizens, the company previously had stated that there may have been up to 100,000 Canadian citizens impacted, but that number was preliminary and did not materialize. The completed review subsequently determined that personal information of approximately 8,000 Canadian consumers was impacted. In addition, it also was determined that some of the consumers with affected credit cards announced in the company’s initial statement are Canadian. The company will mail written notice to all of the potentially impacted Canadian citizens.
The forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom. Equifax is continuing discussions with regulators in the United Kingdom regarding the scope of the company’s consumer notifications as the analysis of the completed forensic investigation is completed.
To be clear, the individuals identified in this update, and the unauthorized access of information, all relate to the cybersecurity incident disclosed on Sept. 7.
To minimize confusion, Equifax will mail written notices to all of the additional potentially impacted U.S. consumers identified since the Sept. 7 announcement. The feature on the website that U.S. consumers may use to determine whether they may have been impacted will be updated to reflect the additional potentially impacted U.S. consumers discussed in this release by no later than October 8.
“I want to apologize again to all impacted consumers. As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements,” Barros added.