Equifax, the credit rating agency, has announced that 2.5 million additional US consumers were potentially impacted by a data breach first publicly reported last month bringing the total to 145.5 million people.

The Equifax data breach led to a major management overhaul on 26th September demonstrating the damage a cyber security incident like this can do to a business.  Richard Smith was forced out as chairman and chief executive (CEO). Paulino do Rego Barros, previously Equifax's president, Asia Pacific, was appointed interim CEO while the existing board member, Mark Feidler, became its non-executive chairman.

The Cybersecurity firm, Mandiant, investigated the data breach and identified the consumers that had been impacted by the breach.  The personal details of the consumers accessed were primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. Additionally, credit card numbers for approximately 209,000 US consumers and certain dispute documents with personal identifying information for approximately 182,000 US consumers were accessed.

Equifax said that Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. The review also found that databases located outside of the United States were not accessed. However, Equifax has found that 8,000 Canadian consumers were affected as they were on US databases and that some Canadians were among those whose credit card numbers had been accessed. Some UK consumers have also been affected as Equifax erroneously held their data in the US between 2011 and 2016.

Barros said: "I want to apologise to all impacted consumers.  As this important phase of our work is now completed, we continue to take numerous steps to review and enhance our cybersecurity practices.  We also continue to work closely with our internal team and outside advisors to implement and accelerate long-term security improvements".

Meanwhile, three Congressional committees held hearings this week to examine how the data breach first detected by Equifax at the end of July came about. The former chairman and CEO Smith - now an unpaid adviser to Equifax - appeared before the House of Representatives' Energy and Committee, the US Senate's Committee on Banking, Housing & Urban Affairs and the House Financial Services Committee.

In a statement prepared before the first House hearing, Smith said that the data breach had occurred when a vulnerable piece of software that should have been patched in March was not dealt with. Hackers were able to access data in May and this was able to continue until the illegal data breach was detected at the end of July. The hack was reported to the Federal Bureau of Investigation at the beginning of August. As well as acknowledging the failings that resulted in the data breach Smith admitted that the company had insufficient call centre staff to deal with the volume of calls following the announcement of the hack in September.

The Senate's Commerce, Science & Transportation Committee will also be holding a hearing investigating the Equifax data breach later this month. The committee also intends to question Yahoo executives after the company admitted that its 2013 data theft is now known to have affected all of its approximately three billion accounts rather than the one billion previously announced in 2016. Yahoo is now part of Oath, a subsidiary of Verizon Communications.