The Wall Street Journal on Tuesday reported that 10.9 million Americans' driver's license numbers were compromised in the massive Equifax cyberattack disclosed last month.
Overall, around 145.5 million people had their information compromised, including Social Security numbers, birth dates and addresses.
The Journal reported (subscription required) that the driver's licenses had been requested from customers to verify their identities when they went onto an Equifax web page to dispute their credit-report information — a page that later became one of the entry points hackers used to access the agency's files. And of course a driver's license is commonly used for confirming a person's identity — or for stealing it.
While most of that 145.5 million customer total was in the United States, Equifax said Tuesday that 15.2 million client records in Britain were compromised, including sensitive information about nearly 700,000 consumers. The U.S.-based company said 14.5 million of the records, which dated from 2011 to 2016, did not contain information that put British consumers at risk.
Equifax said it would notify the 693,665 affected U.K. consumers by mail and offer them several of its own and third-party risk-mitigation products for free to help minimize the risk of criminal activity.
Equifax has faced seething criticism from consumers, regulators and lawmakers over its handling of the breach, which occurred between mid-May and late July and was not disclosed until Sept. 7. Since then, the company has parted ways with its chief executive officer, chief information officer and chief security officer.
"Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act," said Patricio Remon, Equifax's president for Europe. "Let me take this opportunity to emphasize that protecting the data of our consumers and clients is always our top priority."
The company was alerted in March that a software security vulnerability existed in one or more of its systems, but it failed to fix the problem because of "both human error and technology failures," former CEO Richard Smith told a U.S. congressional committee.
As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers' defaulting.
The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.
Equifax said earlier this month that it had determined some 8,000 Canadian consumers were also impacted by the breach, far fewer than the 100,000 it had previously warned were at risk.
It said the initial estimate "was preliminary and did not materialize" and that the company planned to mail notifications to those affected with information about free credit monitoring and identity theft protection services.
Reporting by John McCrank and Alastair Sharp