Equifax is facing a fresh demand to disclose the full extent of last year’s data breach, following a report that it was bigger than previously disclosed.
The Wall Street Journal (WSJ) reported on Friday that cyber-thieves had accessed US citizens’ email addresses, tax ID numbers and more driver licence information than acknowledged earlier.
US Senator Elizabeth Warren is now demanding details of any other data the firm believes may have been stolen.
She wants a reply by the week’s end.
“As your company continues to issue incomplete, confusing, and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” the Democratic senator from Massachusetts wrote in a letter to the credit rating agency.
The WSJ said it was unclear how many of the 145.5 million Americans that the firm had previously said were affected by the breach, had had the additional information about them exposed.
The Atlanta, Georgia-based company, one of the biggest companies of its kind, had previously confirmed that social security numbers, birth dates and addresses had been compromised.
“We have complied with applicable notification requirements in the disclosure process,” the firm told the WSJ.
It added that it believed that the additional driver licence data exposed – which is reported to have involved issue dates and the states that granted them – was “extremely minimal”.
The data breach – which is thought to have occurred between mid-May and July 2017 – also affected customers in the UK.
Last month, Equifax revealed that it was writing to a further 167,431 consumers in the country on top of the 693,665 it had already promised to notify.
A spokeswoman for Equifax said the latest disclosure from the US should not imply that additional information about UK citizens had also been stolen.
“This information does not change the number of consumers affected or any of the UK figures/statements already provided,” she said.
The UK’s Financial Conduct Authority is currently investigating Equifax over the cyber-attack, but said it had nothing to add to a letter outlining the probe that it issued in October.