Earlier this week, Equifax announced that additional 2.5 million U.S. consumers were exposed as a result of the massive data breach that affected the company in September. The credit reporting agency confirmed that a total of 145.5 million individuals have been exposed, hackers accessed names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.
The company hired the security firm Mandiant to investigate the incident, it has already completed the forensic analysis of the affected systems.
“I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released,” said the appointed interim CEO, Paulino do Rego Barros, Jr. “Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis.”
According to Equifax, Mandiant was not able to find further evidence of new attacker activity or any unauthorized access to new databases or tables. and concluded that there is no evidence the attackers accessed databases located outside of the United States.
The experts have found no evidence the attackers have accessed databases located outside of the United States, personal information of only approximately 8,000 Canadian consumers was exposed. The figure is lower than previous thought, it was initially estimated that 100,000 Canadian consumers were affected.
“That number was preliminary and did not materialize,” Equifax said.
The Equifax hackers exploited a Struts 2 vulnerability, tracked as CVE-2017-5638, that was discovered in March.
In a statement to a congressional committee on Monday, former Equifax CEO Richard Smith explained that the company failed to patch the flaw in March after becoming aware of it. This admission aggravates the position of the company, according to Equifax policy, it experts would have required a patch to be applied within 48 hours.
(Security Affairs – Equifax, hacking)