Massive Equifax breach exposes 143 million to identity theft
SAN FRANCISCO — Credit monitoring company Equifax has been hit by a high-tech heist that exposed the social security numbers and other sensitive information about 143 million people in the U.S., Canada and U.K. Now the unwitting victims have to worry about the threat of having their identities stolen.
Atlanta-based Equifax, which operates in Canada, said Thursday that “criminals” exploited a U.S. website application to access files between mid-May and July.
The theft involved consumers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s licence numbers.
The purloined data can be enough for crooks to hijack the identities of people whose credentials were stolen through no fault of their own, potentially wreaking havoc on their lives.
Most of the people affected are Americans, but the company said in a statement that it also “identified unauthorized access to limited personal information for certain U.K. and Canadian residents.” It said it will “work with U.K. and Canadian regulators to determine appropriate next steps.” On Thursday night, the theft was not acknowledged on the homepage or the news release page of its Canadian website.
“The company has found no evidence that personal information of consumers in any other country has been impacted,” the statement said.
Equifax said its core creditreporting databases don’t appear to have been breached.
“On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are sometimes done by employers when deciding whom to hire for a job.
Equifax discovered the hack July 29, but waited until Thursday to warn consumers. The company declined to comment on that delay or anything else beyond its published statement. It’s not unusual for U.S. authorities to ask a company hit in a major hack to delay public notice so that investigators can pursue the perpetrators.
The company established a website where people can check to see if their personal information may have been stolen: equifaxsecurity2017.com
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax CEO Richard Smith said in a statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”
This isn’t the biggest data breach in history. That indignity belongs to Yahoo, which was targeted in at least two digital burglaries that affected more than one billion of its users’ accounts throughout the world.
But no social security numbers or driver’s licence information were disclosed in the Yahoo break-in.
Equifax’s security lapse could be the largest theft involving social security numbers, one of the most common methods used to confirm a person’s identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the social security numbers of about 80 million people.
Any data breach threatens to tarnish a company’s reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.
“This really undermines their credibility,” Litan said. It also could undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.
Equifax’s stock dropped 13 per cent to $124.10 in extended trading after its announcement of the breach.
Three Equifax executives insulated themselves from that downturn by selling shares worth a combined $1.8 million US just a few days after the company discovered it had been hacked, according to documents filed with securities regulators.
The sales, executed on Aug. 1 and 2, were made by John Gamble, Equifax’s chief financial officer; Rodolfo Ploder, Equifax’s president of workforce solutions; and Joseph Loughran, Equifax’s president of U.S. information solutions. Bloomberg News first reported the divestitures.