Credit reporting agency Equifax Inc (EFX.N) said on Tuesday that 15.2 million client records in Britain were compromised in the massive cyber attack it disclosed last month, including sensitive information affecting nearly 700,000 consumers.
The U.S.-based company said 14.5 million of the records breached, which dated from 2011 to 2016, not contain information that put British consumers at risk.
Overall, around 145.5 million people, mostly in the United States, had their information, including Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers, stolen.
Equifax said it would notify the 693,665 affected UK consumers by post and offer them several its own and third party risk mitigation products for free to help minimize the risk of possible criminal activity.
Equifax has faced seething criticism from consumers, regulators and lawmakers over its handling of the breach, which happened between mid-May and late July and was disclosed on Sept. 7. Since then, the company has parted ways with its chief executive officer, chief information officer and chief security officer.
"Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act," Patricio Remon, Equifax's president for Europe. "Let me take this opportunity to emphasize that protecting the data of our consumers and clients is always our top priority."
The company was alerted in March that a software security vulnerability existed in one or more of its systems, but it failed to fix the problem because of "both human error and technology failures," former CEO Richard Smith told a U.S. congressional committee.
As a credit reporting agency, Equifax keeps vast amounts of consumer data for banks and other creditors to use to determine the chances of their customers' defaulting.
The breach has prompted investigations by multiple federal and state agencies, including a criminal probe by the U.S. Department of Justice.
Equifax said earlier this month that it had determined some 8,000 Canadian consumers were also impacted by the breach, much less than the 100,000 it had previously warned were at risk.
It said the initial estimate "was preliminary and did not materialize" and that the company planned to mail notifications to those affected with information about free credit monitoring and identity theft protection services.