Equifax Breach Actually Affected 145.5 Million People

Equifax completed its investigation into the data breach originally thought to have compromised the names, addresses, and other personal information of roughly 143 million Americans. It turns out that figure was optimistic—the hack actually affected 145.5 million people.

That means the company's estimate was off by 2.5 million people. To put that in context: Houston's population is roughly 2,303,000 people. Chicago's is around 2,705,000. So the number of additional people affected by the Equifax breach sits between the U.S.' third and fourth largest cities. This is not to mention the 143 million other Americans whose data was compromised by the hack; that's approximately 44% of the U.S. population.

In case you've missed anything about the Equifax breach, we wrote a handy little recap when we covered the resignation of CEO Richard Smith:

Equifax allowed a critical Apache Struts vulnerability to go unpatched, which resulted in this breach.Before the company disclosed the breach, three executives sold nearly $1.8 million worth of stock.Shortly after the hack's disclosure, Equifax changed its protective service's arbitration clause, which would've prevent anyone from suing it.It's revealed that Equifax "secured" a server holding Argentinians' personal data with the username / password combo of "admin / admin."Equifax's social media team directed people to a fake site that could have stolen their private data.

Equifax's investigation was conducted by Mandiant, a FireEye company dedicated to "helping organizations respond to and proactively protect against advanced cyber security threats," according to its website. Companies often hire Mandiant to determine the full extent of a breach and figure out how to respond to prevent similar attacks. (Though perhaps Equifax should've focused more on the "proactive" side of things.)

"I was advised Sunday that the analysis of the number of consumers potentially impacted by the cybersecurity incident has been completed, and I directed that the results be promptly released," newly appointed interim CEO, Paulino do Rego Barros, Jr. said. "Our priorities are transparency and improving support for consumers. I will continue to monitor our progress on a daily basis."

There's good news for those who live in the land of maple leaves and hockey sticks: Equifax's original estimate that 100,000 Canadians may have been affected by this breach was overblown. Instead, the number is roughly 8,000 people. That's nothing to sneeze at, but it's certainly better than the number of people in the U.S. who now have to spend the rest of their lives worrying about identity theft.

The UK got slightly less good news. Equifax said the "forensic investigation related to United Kingdom consumers has been completed and the resulting information is now being analyzed in the United Kingdom." Unfortunately, it's not clear when those findings will be shared, because the company is "continuing discussions with regulators in the United Kingdom regarding the scope of the company's consumer notifications."

We suspect people in the UK will be waiting with bated breath to learn more about how they may have been affected by this breach. Here's to hoping things lean a little more on the Canadian side of things—what with just a few thousand people affected—than on the dumpster fire happening on the U.S. side.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Olle P
    An estimate that is off by less than 1.8% is pretty good by any standards!
  • DarkSable
    Don't forget the CEO walking away with a 7-digit golden parachute, and the IRS subsequently hiring Equifax for a seven million, no-bid contract. This is all just messed up on an unimaginable level.