Equifax has identified 2.4 million victims of its massive 2017 data breach that were not previously counted in the number of people affected by the hack, the credit bureau announced Thursday.
The company says that hackers stole partial driver’s license information from the newly-identified group. Equifax said that in the vast majority of these cases, the breach did not expose home addresses, the states in which the licenses were issued or expiration and issuance date.
The company said that these victims had not been identified previously because the forensic investigation had focused on stolen Social Security numbers.
“This is not about newly discovered stolen data,” Paulino do Rego Barros, Jr., Equifax’s interim CEO, said in a statement. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
Equifax said it will notify those in the new group and offer them free credit monitoring and identity theft services.
The new victims bring the total number affected by last year’s breach to 147.9 million people, or roughly 45 percent of the U.S. population.
The announcement has already rankled members of Congress who have been investigating the breach for months and grilled its former CEO in a marathon of hearings last year.
House Commerce Chairman Greg Walden (R-Ore.) and Rep. Bob Latta (R-Ohio), who is the chairman of a consumer protection subcommittee, said Thursday they would ask for a briefing from Mandiant, a firm that is investigating the breach.
“This latest announcement from Equifax is deeply concerning, and raises even questions about the company’s total failure in safeguarding consumers’ information and providing adequate tools for protection post-breach,” Walden and Latta said in a joint statement.
“Following our hearing with the former Equifax CEO, this committee has repeatedly requested documents and information from Equifax as part of our investigation into the data breach that impacted millions of Americans, only to be given partial responses and delay in full disclosure.”