Equifax has revealed 2.5 million more Americans than previously thought may have had information compromised in a huge cyber security breach at the firm.
The credit report giant said on Monday about 145.5 million of its US customers might have been affected, up from a previous estimate of 143 million.
The update came a day before former boss Richard Smith testifies in Congress about the attack.
Mr Smith apologised ahead of the hearing for the firm’s failings.
Critics say the company failed to take proper steps to guard information – such as Social Security numbers, birth dates and addresses – and waited too long to inform the public.
Equifax disclosed the attack last month, estimating that about 400,000 Britons and 100,000 Canadians may also have had data compromised.
On Monday, the firm raised its estimate for US customers, but lowered it to only 8,000 Canadians after further investigation.
In remarks prepared for Congress, which were published on Monday, Mr Smith urged the US to adopt new standards for customer credit information.
Mr Smith, who resigned last month, said the attack made him believe consumers should have sole control over when their credit information may be accessed.
The testimony from Equifax’s former chief executive and chairman also offered a chronology of the incident.
Mr Smith said the first attack happened in May, with hackers taking advantage of a software vulnerability that Equifax was warned about in March and did not address.
Equifax identified an intrusion on July 29. Mr Smith said he learned about the problem two days later.
An investigation ordered by the company revealed the enormity of the attack by mid-August.
Mr Smith said Equifax faced a “massive” task to prepare to respond to customers. Even so, the firm was overwhelmed by calls after the breach became public, and faced problems with the website it created to address customer complaints.
Equifax holds data on more than 820 million consumers as well as information on 91 million businesses.