Yahoo and Equifax Just Proved that You Can Never Trust the First Number Announced in a Data Breach

Within 24 hours, Yahoo and Equifax both announced that the figures they originally released about the number of people affected in their respective, record-breaking data breaches were incorrect. Both numbers were higher than originally thought.

The announcements fit a pattern in data breaches where companies announce an initial number of people affected, and add to that number later. We’ve charted that below, using announcements and follow-up announcements of some of the largest data breaches in recent years; Yahoo is left out of the chart because its massive scale (now 3 billion) dwarfs the others.

Below are further details on each data breach, ordered by the date of their original announcements:

Equifax

First announcement: September 7, 2017 (143 million records)
Second announcement: October 2, 2017 (145.5m)

Equifax announced on September 7 that hackers had stolen records from its servers that contained personal information on 143 million Americans. Then, 25 days later, on October 2, the company announced the number was actually 145.5 million.

Yahoo

First announcement: December 14, 2016 (1 billion)
Second announcement: October 3, 2017 (3 billion)

Yahoo learned in November 2016 that 1 billion of its users’ account details, including passwords, had been stolen by hackers. It was already the largest known data breach in history, and the number has now tripled to 3 billion, representing every account that existed at the time of the theft in August 2013. Last March, the US Justice Department announced that Russian intelligence operatives were involved in the theft of at least some of the accounts.

US Office of Personnel Management (OPM)

First announcement: June 4, 2015 (4.2m)
Second announcement: July 9, 2015 (25.7m)

The OPM’s estimate of the number of government employee records hacked in 2015 grew from 4 million to nearly 26 million in about a month. It took an additional two months to figure out that 5.6 millionof those records included fingerprint data.

Home Depot

First announcement: September 18, 2014 (56m)
Second announcement: November 6, 2014 (109m)

Home Depot’s first announcement disclosed the loss of 56 million payment cards in 2014; the second added the contact details of 53 million customers.

Target

First announcement: December 19, 2013 (40m)
Second announcement: January 10, 2014 (110m)

Target added 70 million to the total number of customer records that were stolen in its 2013 breach.

Adobe

First announcement: October 3, 2013 (3m)
Second announcement: October 29, 2013 (38m)

Less than a month after disclosing a 2013 breach of customer passwords and other records, Adobe added 35 million to its number.