Equifax says it identified 2.4 million U.S. consumers whose names and snippets of their driver's license numbers were stolen, adding to what is one of the largest and most sensitive data breaches on record.
The disclosure came Thursday, the same day Equifax announced a 40 percent rise in profit for the fourth quarter last year compared to the same period a year prior.
Equifax says that its latest breach-related finding came from an ongoing analysis of proprietary company records and information from an "external data provider."
The number of affected U.S. consumers now totals about 147.9 million, up from 145.5 million. The company says it will notify the victims and offer them prepaid identity theft protection and credit file monitoring services.
Equifax offered an explanation for why it is still uncovering victims six months after it first announced the breach on Sept. 7, 2017.
The company used Social Security numbers and names as the "key data elements" to figure out who was affected. Digital forensics experts had determined that the attackers were "predominantly" focused on stealing those numbers.
The latest group of people had portions of their driver's license numbers stolen but not at the same time as their Social Security numbers, Equifax says.
For most of the 2.4 million new breach victims, the stolen data did not include addresses, the states that issued their driver's licenses, or license issue or expiration dates.
Paulino do Rego Barros Jr., Equifax's interim CEO, claims his company's latest disclosure "is not about newly discovered stolen data."
Instead, it appears that Equifax is still trying to get to the bottom of everything that attackers may have accessed in the massive data sets that the company knows were exposed. "It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers and making connections that enabled us to identify additional individuals," he says.
No information has been released on who attacked Equifax. But the company admitted that it failed to quickly patch a known vulnerability in one of its installations of Apache Struts, a web application development framework (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
Attackers accessed names, addresses, Social Security numbers and in some cases, driver's license numbers. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000.
U.K. and Canadian consumers were also affected, but in a much lower volume than in the U.S., where personal data for most adults was exposed.
Equifax is facing a range of class-action lawsuits, probes by regulators and continuing questions from the U.S. Congress. And the reaction to the company's latest disclosure was unsparing.
The U.S. Senate Committee on Commerce, Science and Transportation plans to query Equifax for more information related to the latest disclosure, says Sen. John Thune, R-S.D., chairman of the committee.
"The company knew the incident affected nearly the entire population of credit-active consumers in the United States and had every reason to believe this number could grow," Thune says. "Equifax needs to put consumers first and shouldn't be trying to clean up its mess in a piecemeal fashion."
Money Rolling In
On Thursday, Equifax said that through Dec. 31, the breach had cost the company $114 million after insurance reimbursements, according to an 8-K filing with the U.S. Securities and Exchange Commission.
Of the $114 million, $64.6 million was spent on product costs and consumer support, including its offer of prepaid credit monitoring and identity theft protection services to U.S. consumers, using Equifax's own services. The company also spent $99.4 million on professional fees.
Equifax received $50 million from insurance payouts.
Despite the breach, Equifax did well for its fourth quarter of last year. Revenue was $838.5 million, up 5 percent over the fourth quarter of 2016. Net income was $172.3 million, an increase of 40 percent from the same period a year prior.
Equifax reaped a reward from President Donald Trump's tax cuts. The company says it gained a net tax benefit of $48.3 million in the fourth quarter from the Tax Cuts and Job Acts of 2017.