By Selena Larson
PHILADELPHIA (CNN) — Cybercriminals exposed millions more people’s personal information in the Equifax hack than the company reported last September.READ MORE: CBS3 Mysteries: Investigators Seeking Vehicle, Possible Witness Who Could Be Key In Solving Brett Moss' Murder
On Thursday, Equifax said the breach surfaced 2.4 million more Americans’ names and drivers license numbers — less data than was exposed from the millions of other victims.
Equifax said it will notify the new victims directly. It will offer identity theft protection and credit file monitoring services at no cost.
The credit monitoring agency previously said hackers accessed personal information of 145.5 million people, including names, Social Security numbers drivers license numbers and addresses.
The latest disclosure is another blow to the Equifax. Since the breach, Equifax’s CEO Richard Smith and top security officers resigned. In October, Smith testified in front of Congress and apologized for the breach.
Equifax first disclosed the bombshell hack in September 2017, three months after the company discovered the breach. Hackers leveraged a security flaw in a tool designed to build web applications to steal customer data. Equifax admitted it was aware of the security flaw a full two months before the company says hackers first accessed its data.
It is not yet known who is responsible for the hack, but the investigation is ongoing.READ MORE: Archbishop Ryan High School's Sister Frances Antoinette Struck, Killed By PECO Truck In North Philadelphia
It is unclear if the company will face consequences for leaking millions of people’s sensitive data that could be used for identity theft.
The company is currently under investigation by multiple states attorneys general and faces a number of civil lawsuits.
In November, three Democratic senators introduced a data breach disclosure bill, called The Data Security and Breach Notification Act, that could introduce consequences for companies who do not responsibly deal with hacks.
The bill would require companies to report data breaches within 30 days. If someone at a business knowingly conceals a data breach, they could face up to five years in prison.
It is still early in the legislative process, so it’s unclear if the law will eventually pass.
The-CNN-Wire ™ & © 2018 Cable News Network, Inc., a Time Warner Company. All rights reserved.MORE NEWS: New Jersey Restaurants Holding Onto Increased Business As Statewide COVID Cases Climb