Equifax said hackers may have stolen the personal information of 2.5 million more U.S. consumers than it initially estimated, bringing the total to 145.5 million.
The company said the additional customers were not victims of a new attack but rather victims who the company had not counted before. Equifax hired the forensic security firm Mandiant to investigate the breach, and it finished its report on Sunday.
News of the new victims comes on the eve of congressional testimony to be given by Equifax’s former CEO Richard Smith, who will address a House subcommittee on Tuesday. He was forced into retirement last week in the wake of the attack.
In prepared remarks posted Monday, Smith said the hack was possible because someone in Equifax’s security department didn’t patch a flaw the company had been alerted to by the U.S. Computer Emergency Readiness Team.
A scan performed later to check that the patch had been implemented failed to detect that it hadn’t, Smith said. He gave no reason why the company’s workers failed to install the so-called Apache Struts upgrade.