As companies continue to install the vulnerable version of Apache Struts behind the breach, Equifax has filed a clarification statement.

The number of impacted U.S. consumers from the infamous 2017 Equifax data breach now totals about 147.9 million, and the breach has touched almost every adult in the U.S., with more than 45 percent of the population directly affected by the incident. However, it has emerged that not everyone in the breach was affected the same way.

Responding to Congressional pressure, the company clarified the nature and extent of the purloined information in a May 7 filing with the U.S. Securities and Exchange Commission. It turns out that criminals made off with names and dates of birth for 146.6 million people, and Social Security numbers for 145.5 million. However, only about 99 million addresses were stolen.

In addition, about 27.3 million people had their gender exposed, 20.3 million had their phone numbers exposed, and 1.8 million people had their email addresses lifted.

The report also said that the hackers were able to access about 182,000 full documents that were uploaded to the firm’s online dispute portal, including 38,000 driver’s licenses; 12,000 Social Security or taxpayer ID cards; 3,200 passports or passport cards; and 3,000 other government-issued identification documents, including military IDs, state-issued IDs and resident alien cards.

There’s no word yet on attribution for the attack, or why the information heist is so compartmentalized. Equifax did say that it does not expect to uncover more victims.

“The scale of this breach demonstrates how crucial transparency is,” Andrew Avanessian, COO at Avecto, said via email. “The combination of dates of birth, Social Security numbers, payment card details and passport details are more than enough for a hacker to commit fraudulent acts and even steal personal identities. There will be a lot of concerned customers in the wake of this news, and this should act as a lesson to organizations about the importance of being upfront about information that has been breached from the very beginning.”

Ongoing Updates

The report comes on the heels of a revelation in March that there were millions more victims than previously announced, adding 2.4 million more U.S. consumers to the already mammoth heap of victims. The company said that an ongoing analysis of records with help from cyber-firm Mandiant uncovered that names and parts of driver’s license numbers were stolen from the additional cohort of victims. The information did not however include addresses, nor the states that issued the driver’s licenses.

“It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers and making connections that enabled us to identify additional individuals,” Paulino do Rego Barros Jr., Equifax’s interim CEO, said of the ongoing effort.

Reacting to the latest set of affected consumers in March, Senator John Thune, R-S.D., chairman of U.S. Senate Committee on Commerce, Science and Transportation, said that his committee plans to investigate the incident further.

“The company knew the incident affected nearly the entire population of credit-active consumers in the United States and had every reason to believe this number could grow,” Thune said in a statement. “Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”

The news of the additional victims came as Equifax reported its Q4 2017 financials, which contained some breach-related tidbits: According to an 8-K filing with the S.E.C., the breach had cost the company $114 million after insurance reimbursements as of Dec. 31. However, it gained a $48.3 million windfall in the fourth quarter from the Tax Cuts and Job Acts of 2017, which sent net profit soaring 40%, so damages, at least financially, were minimal.

Apache Struts Flaw: Patching Lags Behind

Equifax first announced the breach on Sept. 7, 2017, about six weeks after first discovering it. The incident stemmed from a failure to apply an available patch to a known vulnerability in Apache Struts, which was fixed in March 2017.

Worryingly, data analysis from cybersecurity startup Sonatype shared with Forbes found that 10,000+ companies (including 57 percent of the Fortune 100) have downloaded the flawed version of Apache Struts since it was patched (and 8,780 have done so since the Equifax breach went public), demonstrating that the impact of that event on corporate security habits has been minimal.

“The intentional introduction of vulnerable software indicates that organizations will favor ensured continuity in application and network connectivity over security,” said Dan Rheault, senior product marketing manager at Tufin, via email. “The willing introduction of vulnerabilities to their network must be coupled with proactive security best practices, such as network segmentation, to ensure that access to known vulnerable applications is minimized, unused access is eliminated and that access is regularly reviewed to eliminate the spread of an attack in the network if their known vulnerabilities are exploited.”

Nick Bilogorskiy, cybersecurity strategist at Juniper Network, added that organizations have had enough time to install the necessary patches.

“There is really no excuse for this,” he told us. “I highly recommend that organizations apply critical security patches within one week of their release in order to reduce the known threat/attack surface. Otherwise, it’s the same as buying expensive locks for the doors to your home but keeping the windows wide open.”