But the millions of Americans whose personal data the company stockpiles to power its services are not technically customers of the company, and so it did not inform them.
Equifax hired cybersecurity firm Mandiant to investigate both the March and July incidents.
USA lawmakers have demanded Equifax release specific details regarding the circumstances surrounding the breach including the timeline, when authorities and board members were informed of the hack and the company's decision to delay public disclosure of the attack for over a month. However, Equifax denies the incidents are related.
Equifax has been damaged by the disclosure of the May breach, with two senior security executives announcing their immediate retirement on Friday.
Google's payment app Google Tez goes live
To make it easier for customers, the USA firm is also offering a Google helpline number and chat support on a daily basis. Tez works with all major Indian banks and the vast majority of smartphones - so you can pay or get paid by nearly anyone.
While investigations into the Equifax data breach are ongoing, the FTC is warning consumers about the risk of fraudsters calling consumers claiming to be Equifax.
Lyndsey Wasser says that Canada's privacy watchdog cannot hand down fines but can recommend the company make changes and sign an agreement urging them to comply. Equifax shares have fallen 35% since the breach was disclosed on September 7 after the market close.
Alongside the 143 million United States consumers whose data was stolen, 400,000 UK residents also had their data illegally accessed, Equifax confirmed.
To run afoul of laws that prohibit insider trading, a seller has to be aware of nonpublic information, said Stephen Crimmins, a former enforcement lawyer for the Securities and Exchange Commission.
Company executives are also under scrutiny, after it was found that three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach. Unlike the Americans, however, the Britons only had names, dates of birth, email addresses and telephone numbers stolen - postal addresses or government ID numbers were not included. However, the vulnerability could have been fixed back in early March when patches became available.