That brings the total number of people caught up in the massive hack to 145.5 million.
Equifax will alert the additional potentially affected consumers by mail. The website used to determine whether someone was impacted in the breach will be updated to include the new potential victims by October 8, the credit monitoring company said in a statement.
Equifax hired cybersecurity firm Mandiant to investigate the major breach in August – a month before it publicly disclosed that the personal information of millions of customers might have been compromised. On Monday, Equifax announced Mandiant completed its forensic investigation and revised the number of people impacted by the hack.
The new findings included only U.S. consumers, but Equifax also said personal information of 8,000 Canadian consumers was impacted, down from an initial estimate of 100,000.
Federal and state officials are probing the breach and potential executive insider trading.
Former Equifax CEO Richard Smith, who is testifying on Capitol Hill this week, says he is “very sorry” for the security breach that could put millions of people at risk for identity theft and credit fraud.
Smith is slated to appear before the House Energy and Commerce Committee on Tuesday and is expected to testify that human error and technical failures allowed hackers to access personal identifying information.
Hackers accessed names, addresses, social security numbers, and some driver’s licenses through a flaw in software known as Apache Struts. The flaw was disclosed in March, but Equifax failed to detect and fix the hole. Criminals stole the data between May and July, Equifax said.
The company is offering free credit monitoring and credit freezing for people who are concerned about their data falling into the wrong hands.
Smith retired last week. Equifax’s chief information officer and chief security officer also retired last month.
Equifax just scored a $7 million contract to protect the IRS from fraud
The deal was finalized last week, according to the federal government website that tracks contracts.
The timeline is notable; earlier in September, the credit monitoring firm announced a massive security breach that may have exposed the personal information of as many as 145.5 million people.
Equifax is now tasked with helping the agency “verify taxpayer identity and to assist in ongoing identity verification and validations needs,” according to contract details posted online.
The agreement was first reported by Politico.
The posting identifies the contract as a “sole source order,” which indicates that the government thinks Equifax is the only company that can do the job. The designation also means the government doesn’t need to open up a competitive bidding process to let other companies make a pitch.
Neither the IRS nor Equifax immediately responded to a request for comment.
On Tuesday, Richard Smith, the former CEO of Equifax, testified before before the House Energy and Commerce Committee about the breach.
“I’m here today to say to each and every person affected by this breach: I’m truly and deeply sorry for what happened,” Smith said.
He’ll appear before the Senate Banking Committee and a Senate Judiciary subcommittee on privacy on Wednesday.
Equifax is also facing a number of state and federal probes related to the hack. The company is under investigation by the Department of Justice, the FBI and the Federal Trade Commission.
It’s already been sued by the state of Massachusetts and by individuals across the country.