In 2017, the company announced a massive data breach that (it initially claimed) impacted some 140 million users. Several months after the official announcement, the company was forced to revise the number of impacted users upward, as the forensic investigation into the breach continued.
Now, the company has announced a further upward revision of 2.4 million, bringing the total number of impacted users to slightly more than 148 million.
Equifax CEO Paulino do Rego Barros Jr. had this to say about the announcement, which raised more than a few eyebrows:
“This is not about newly discovered stolen data. It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, making connections that enabled us to identify additional individuals.”
As it did originally, the company has also announced that it would notify the newly identified consumers and offer them free credit monitoring and identity theft protection at no cost.
After last year’s congressional hearings on the matter, this portion of the announcement tends to illicit eyerolls. The company is in the credit monitoring business, and the way the company offers its “free” protection is that at the end of the free period, it automatically rolls into a paid plan unless the user cancels the service.
Of course, as with most such schemes, a high percentage of users won’t think about it until they get their first bill. One of the more acidic comments made during last year’s hearings was that the company actually seems to be profiting from their own data breach. That makes the CEO’s statement that “We are committed to regaining the trust of consumers, improving transparency, and enhancing security across our network” ring a bit hollow.