Equifax data breach affected millions more than first thought

NEW YORK -- Credit reporting company Equifax (EFX) said Monday that an additional 2.5 million Americans may have been affected by a massive security breach this summer.

That brings the total number of Americans whose data was exposed to 145.5 million people. Equifax said the company it hired to do an examination of the breach, Mandiant, has concluded its investigation and plans to release the results "promptly."

The update comes as Equifax's former CEO, Richard Smith, is scheduled to testify in front of Congress starting Tuesday. He's expected to face bipartisan anger from politicians who have expressed outrage that a company tasked with securing vast amounts of personal data was unable to keep their security software up to date. The information stolen included names, Social Security numbers, birth dates and addresses.

In prepared testimony released Monday, Smith said he was "deeply sorry" for the breach and blamed the incident on human error and technology failures. He resigned last week after 12 years leading Equifax.

According to Smith, the Department of Homeland Security warned the company on March 8 about the need to patch a particular vulnerability in software Equifax and other business used. The company emailed out that warning the following day and requested that applicable personnel install the upgrade.

While Equifax's policy required the upgrade to occur within 48 hours, Smith said that did not occur. The company's information security department also ran scans on March 15 that did not pick up the vulnerability.

Equifax faces several state and federal inquiries and class-action lawsuits as a result of the breach.