Equifax breach exposes millions
Criminals access data including Social Security numbers and credit info from about 143 million
Criminals accessed personal information of up to 143 million Americans — roughly 44 percent of the U.S. population — in a stunning data breach at credit-reporting firm Equifax, the company said Thursday.
Names, Social Security numbers, birth dates, addresses and some driver’s license numbers were accessed by criminals who exploited a website vulnerability, Equifax said. Also exposed to criminals were credit card numbers for about 209,000 U.S. consumers, along with credit-report dispute documents that identify about 182,000 more people in the U.S., the company said.
“It’s a rich set of very sensitive identifying information that doesn’t often get collected all in one place,” said Jonathan Penn, director of strategy at cybersecurity firm Avast. “It goes deep to
the bone in terms of its sensitivity.”
The breach comes as businesses and the technology industry are locked in battle with cybercriminals and nation- state hackers who are becoming increasingly skilled at penetrating security and stealing data.
The Equifax data is so detailed that criminals could use it to steal a person’s identity and take out credit in their name, loot their bank accounts or go on a shopping spree, Penn said.
Equifax said 143 million people were “potentially” affected, but by describing exposed data as “information accessed,” the company is probably indicating that at least 143 million people were hit, Penn said.
Bloomberg News reported Thursday evening that three company executives — chief financial officer John Gamble; Joseph Loughran III, the president of U.S. information solutions; and Rodolfo Ploder, the president of workforce solutions — sold large amounts of their shares of Equifax stock totaling nearly $1.8 million in the days after the breach was discovered July 29. The Washington Post confirmed the sales based on Securities and Exchange Commission filings.
The stock trades were not part of a previously scheduled sale, federal filings show.
A company spokeswoman, Ines Gutzmer, said in an email Thursday night, “The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”
Equifax CEO Richard Smith noted the irony of the intrusion into a firm whose brand is built on the company’s reputation as a trustworthy custodian of highly personal data. Atlantabased Equifax is one of three major credit reporting companies in the country.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Smith said in a statement.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident,” he continued.
While Yahoo’s two data breaches involved more victims — the information of at least a billion users was compromised — the data accessed at the credit-reporting firm is much more sensitive and valuable to criminals, Penn said.
Equifax “may have fallen behind in applying security updates to its internet-facing web applications,” said high-profile cybersecurity expert John Krebs. This was not the first serious data breach among the big credit companies, Krebs noted in a blog post Thursday.
In May, Krebs reported that fraudsters had taken advantage of “lax security” in Equifax’s payroll-services division. In 2015, a breach at Experian put 15 million consumers’ personal data at risk, and Experian also allowed an identity-theft scammer to trick the firm into letting cybercriminals view personal and financial data from more than 200 million Americans, Krebs said.
“The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers,” Krebs said.
Although Equifax said it reported the “criminal ac- cess” to law enforcement authorities and continues to work with them, it waited more than a month to reveal the incident to the public and to potentially affected consumers. The company said it discovered the breach July 29 “and acted immediately to stop the intrusion.”
The criminals had access to the personal data from mid-May through July, Equifax said.
Equifax has hired a leading cybersecurity company to conduct a “comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted,” the company said.
The firm will mail notices to consumers whose credit card numbers or records of credit disputes were accessed, it said.
It has also set up a website, www.equifaxsecurity2017.com, that it said would help U.S. consumers find out if their information was exposed, and allow them to sign up for a year of free credit-file monitoring and identify-theft protection.
The massive and highly intrusive breach should be a wake-up call for Americans to check online bank and credit card statements regularly, ideally every week, said Matt Schulz, senior in- dustry analyst for CreditCards.com.
“We think nothing of checking Facebook or Instagram 10 times a day, but many think it is too much to ask to check your bank statements once a week,” Schulz said. “It’s not. It’s easy to do, doesn’t take long and can help you spot problems before they get out of control.”
The effects of the Equifax hack could take time to appear, Schulz warned.
“Just because nothing looks amiss on your bank statements or your credit report now, that doesn’t mean you haven’t been compromised,” Schulz said.
“Bad guys can be very patient, so it’s important to keep an eye out long after this story fades from the headlines.”
Equifax CEO Smith promised that the company would do a better job in the future of protecting Americans’ sensitive information.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” Smith said. “Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”