Equifax Underestimated by 2.5 Million the Number of Potential Breach Victims
One of three main credit reporting agencies in the U.S. next to Experian and TransUnion, Equifax (EFX) stores a trove of highly sensitive personal and financial details about consumers. From mid-May through July, an as yet unidentified hacker group gained access to a large swathe of this data—including names, birthdates, street addresses, credit card numbers, and Social Security numbers—the company disclosed last month.
Equifax released the new estimate on Monday, a day after Mandiant, the computer forensics division of the cybersecurity firm FireEye (FEYE) that Equifax hired, completed its full review of the damage. Despite the higher figure, Equifax said that Mandiant “did not identify any evidence of additional or new attacker activity or any access to new databases or tables.”
Equifax said Mandiant also found no evidence of unauthorized activity on databases located outside of the United States.
Get Data Sheet, Fortune’s technology newsletter
“I want to apologize again to all impacted consumers,” Paulino do Rego Barros, Jr., Equifax’s newly appointed interim CEO, said in a statement. “As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices. We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements.”
Equifax said that while it initially warned that data on about 100,000 Canadians may have been exposed, it has now revised that number down to 8,000 potential Canadian victims. The company said it would notify them through the mail.
Read more: “You Should Have Control Over Your Data—Not Sloppy Companies Like Equifax” by Elizabeth Warren
Equifax said it was still determining the extent of the breach for U.K. consumers.
In the weeks since Sept. 7, when Equifax first disclosed the compromise, a number of key leaders have left the company. Former CEO Richard Smith retired (banking as much as a $90 million payday), as did its chief information officer and chief security officer.
Equifax’s board said it is investigating other members of its executive team, including its chief financial officer and general counsel, for selling stock after the breach’s discovery, but before its public disclosure. A number of lawsuits have been filed against the company for allegedly mishandling people’s data.
Equifax has recommended that consumers enter some identifying details into a website it set up in the aftermath of the hack to determine whether they were affected. The company said it would update the database with the names of the additional millions of potentially affected consumers by Oct. 8.
Security pros have recommended that victims implement a credit freeze, which locks down credit records with a special PIN.