Equifax reports breach, says it could affect 143M
The cyberattack, which occurred from May to July, exposed Social Security numbers and birthdates.
Equifax, one of the nation’s three major credit reporting firms, announced Thursday that its computer systems had been breached, leading to the unauthorized access of Social Security numbers and birthdates of up to 143 million U.S. consumers.
The company said the intrusion — enabled by a website vulnerability — occurred from mid-May through July. The issue was discovered July 29, and the company spent recent weeks working with a cybersecurity consultant and authorities on an investigation, which is continuing.
The credit card numbers for 209,000 U.S. consumers were compromised, and dispute documents related to 182,000 U.S. consumers also were accessed.
Social Security numbers and birthdates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes. Equifax said that it also lost control of an unspecified number of driver’s licenses along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others.
“In addition to the number [of victims] being really large, the type of information that has been exposed is really sensitive,” said Beth Givens, executive director of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego, Calif. “All in all, this has the potential to be a very harmful breach to those who are affected by it.”
Equifax said it was alerting those who were affected by mail. It also set up a website, www.equifaxsecurity2017.com, to help consumers understand the breach and check whether they were affected. The company is offering one year of free credit monitoring and identity theft protection to anyone who may have been affected.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard Smith in a statement published on the company’s website. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
The company did not immediately respond to queries about what Web application was hacked nor why it waited six weeks to alert consumers about the breach.
Companies often do not immediately alerted affected people to cybersecurity incidents, prompting calls from state and federal legislators to periodically call for new laws to require more rapid and complete disclosures.
The data breach at Equifax is not the largest on record. Yahoo disclosed in September 2016 that 500 million user accounts had been hacked in 2014, followed by a second disclosure three months later that a different attack in 2013 compromised more than 1 billion accounts.