By John McCrank(Reuters) – Credit reporting agency Equifax Inc <EFX.N> said on Tuesday that 15.2 million client records in Britain were compromised in the massive cyber attack it disclosed last month, including sensitive information affecting nearly 700,000 consumers.
The U.S.-based company said 14.5 million of the records breached, which dated from 2011 to 2016, did not contain information that put British consumers at risk.
Overall, around 145.5 million people, mostly in the United States, had their information compromised, including Social Security numbers, birth dates and addresses.
The hack also exposed the driver’s license numbers of around 10.9 million Americans, the Wall Street Journal reported.
Equifax said it would notify the 693,665 affected UK consumers by post and offer them several of its own and third-party risk-mitigation products for free to help minimize the risk of possible criminal activity.
Equifax has faced seething criticism from consumers, regulators and lawmakers over its handling of the breach, which occurred between mid-May and late July and was not disclosed until Sept. 7. Since then, the company has parted ways with its chief executive officer, chief information officer and chief security officer.
“Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act,” said Patricio Remon, Equifax’s president for Europe. “Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.”
The company was alerted in March that a software security vulnerability existed in one or more of its systems, but it failed to fix the problem because of “both human error and technology failures,” former CEO Richard Smith told a U.S. congressional committee.
As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers’ defaulting.
The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.
Equifax said earlier this month that it had determined some 8,000 Canadian consumers were also impacted by the breach, far fewer than the 100,000 it had previously warned were at risk.
It said the initial estimate “was preliminary and did not materialise” and that the company planned to mail notifications to those affected with information about free credit monitoring and identity theft protection services.
(Reporting by John McCrank in New York, additional reporting by Alastair Sharp in Toronto; Editing by Tom Brown and Matthew Lewis)