Equifax Inc. said Thursday that the company has confirmed the identities of approximately 2.4 million U.S. consumers whose names and partial driver’s license information were stolen, but who were not in the previously identified affected population discussed in the company’s prior disclosures about the incident.
According to Equifax, it was able to identify these consumers by referencing other information in proprietary company records that the attackers did not steal, and by engaging the resources of an external data provider.
The methodology used in the company’s forensic examination of last year’s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack, the company stated.
This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs, said Equifax. Today’s newly identified consumers were not previously informed because their SSNs were not stolen together with their partial driver’s license information, Equifax stated.
“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim Chief Executive Officer. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
According to Equifax, it will notify these newly identified U.S. consumers directly, and will offer identity theft protection and credit file monitoring services at no cost to them.