The vast majority of those records - 14.5 million - contained only names and birthdates, which Equifax contends "does not introduce any significant risk to these people."
But the remaining 700,000 records had data that may have included driver's license numbers, email addresses, phone numbers, partial credit card numbers and sensitive information tied to online Equifax.co.uk accounts.
"Equifax apologizes unreservedly for any risks to consumers arising as a result of this criminal hack," according to a statement issued Tuesday. "We continue to work closely with law enforcement and other agencies as well as leading external advisers to learn lessons for the future."
No group has yet taken responsibility for stealing the Equifax data, which affected 145.5 million U.S. consumers, plus some Canadians. The FBI has launched a criminal probe into the breach. But security experts do not believe the stolen data has appeared yet on dark web forums where this type of information would routinely surface for sale to identity thieves.
When Equifax first disclosed the breach on Sept. 7, it said "limited personal" information about consumers in the U.K. and Canada was also affected. Later, it estimated that data pertaining to 400,000 U.K. residents was exposed (see Equifax: Breach Exposed Data of 143 Million US Consumers).
The U.K. data ended up being stored on U.S. servers because of a "process failure" that occurred between 2011 and 2016, at which point it was found and fixed, Equifax says. But although the data transfer stopped, a copy of this file apparently remained stored on U.S. systems, and Equifax says attackers obtained it.
"Regrettably this file contained data relating to actual consumers as well as sizable test data sets, duplicates and spurious fields," the company says.
Equifax earlier suspected 100,000 Canadian residents were impacted by the breach, but later revised the Canadian victim count to 8,000. Exposed information for Canadian residents included names, addresses, Social Insurance Numbers and in some instances credit card numbers.
Equifax says it will contact by mail the 693,665 U.K. residents who had personal information exposed that went beyond just their name and birthdate. Exposed information varies, but includes:
637,430 consumers' phone numbers;
29,188 driver's license numbers;
14,961 Equifax.co.uk site membership details, which may include usernames, passwords, partial credit card details and secret questions and answers used to reset accounts;
12,086 email addresses used to register with Equifax.co.uk.
For victims whose phone numbers were leaked, Equifax says it will offer them "a leading identity monitoring service for free."
For the remaining consumers, the company is offering its own identity protection service called Equifax Protect for free. The company also plans to offer consumers other "products and services from third-party organizations" for free. Equifax didn't immediately respond to a query about how long those services would be offered.
Equifax has yet to describe those services, but says they will be outlined in the mailing that affected consumers receive.
Equifax's breach represents one of the largest - and for consumers, most dangerous - breaches ever recorded, and it's led to sharp questions about the cybersecurity prowess of credit agencies and data brokers.
In addition to exposing personal data for 145.5 million U.S. individuals, Equifax's breach exposed credit card numbers for 209,000 U.S. consumers. The breach also exposed documents related to credit disputes that 182,000 U.S. consumers had filed with the company.
The breach has triggered a wave of legal action against the company and resulted in the sudden retirement of CEO Richard Smith and departure of other senior executives, including Susan Mauldin, the former CSO.
Some critics say the breach shows that the data broker industry needs to be more tightly regulated to protect consumer data that can so easily be repurposed by fraudsters to commit identity theft.
Equifax was hacked after failing to address a known security problem. In March, hackers broke into Equifax's systems by exploiting a software vulnerability in Apache Struts, a web application development framework used for its U.S. website infrastructure (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
A patch for the vulnerability had been available since early March, but Equifax did not apply the patch and later system scans failed to identify the vulnerable Apache Struts software, the company acknowledges. After exploiting the flaw to hack into Equifax in March, intruders actively roamed its systems from mid-May through July 30, when Equifax detected the breach and closed the hole.