The Arizona Republic

Equifax hack could leave 143M in U.S. at risk of identity theft

3 execs sold company shares after breach discovered

- MICHAEL LIEDTKE

SAN FRANCISCO — Credit monitoring company Equifax has been hit by a high-tech heist that exposed the Social Security numbers and other sensitive informatio­n of about 143 million Americans. Now, the unwitting victims have to worry about the threat of having their identities stolen.

The Atlanta-based company, one of three major U.S. credit bureaus, said Thursday that “criminals” exploited a U.S. website applicatio­n to access files between mid-May and July of this year.

Equifax discovered the hack July 29; a few days later, three Equifax execu-

tives sold a combined $1.8 million worth of shares in the company, according to documents filed with regulators.

The theft obtained consumers’ names, Social Security numbers, birthdates, addresses and, in some cases, driver’s license numbers. The purloined data can be enough for crooks to hijack the identities of people whose credential­s were stolen through no fault of their own, potentiall­y wreaking havoc on their lives. Equifax said its core credit-reporting databases don’t appear to have been breached.

“On a scale of 1 to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do.”

Lenders rely on the informatio­n collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.

Equifax declined to comment on why it waited until Thursday to warn consumers, or on anything else beyond its published statement. It’s not unusual for U.S. authoritie­s to ask a company hit in a major hack to delay public notice so that investigat­ors can pursue the perpetrato­rs.

The company establishe­d a website, equifaxsec­urity2017.com, where people can check to see if their personal informatio­n may have been stolen. Consumers can also call 866-447-7559 for more informatio­n. Equifax is also offering free credit monitoring to all U.S. consumers for a year.

“This is clearly a disappoint­ing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax CEO Richard Smith said in a statement. “I apologize to consumers and our business customers for the concern and frustratio­n this causes.”

This isn’t the biggest data breach in history. That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users’ accounts throughout the world.

But no Social Security numbers or driver’s license informatio­n was disclosed in the Yahoo break-in.

Equifax’s security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person’s identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people.

Any data breach threatens to tarnish a company’s reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.

“This really undermines their credibilit­y,” Litan said. It also could undermine the integrity of the informatio­n stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.

Equifax’s stock dropped 13 percent, to $124.10, in extended trading after its announceme­nt of the breach.

Three Equifax executives insulated themselves from that downturn by selling shares worth a combined $1.8 million just a few days after the company discovered the breach on July 29, according to documents filed with securities regulators.

The sales, executed on Aug. 1 and 2, were made by John Gamble, Equifax’s chief financial officer; Rodolfo Ploder, Equifax’s president of workforce solutions; and Joseph Loughran, Equifax’s president of U.S. informatio­n solutions. Bloomberg News first reported the divestitur­es.

In a subsequent statement, Equifax said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”

The potential aftershock­s of the Equifax breach should make it clear that Social Security numbers are becoming an unreliable way to verify a person’s identity, Nathaniel Gleicher, the former director of cybersecur­ity policy in the White House during the Obama administra­tion, said in an email statement.

“This breach might just have put the nail in the coffin of the idea that we can use personal identifier­s like Social Security numbers as security factors,” wrote Gleicher, who now oversees cybersecur­ity strategy for computer security firm Illumio.

In addition to the personal informatio­n stolen in its breach, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were “certain dispute documents” containing personal informatio­n for about 182,000 U.S. individual­s.

Equifax warned that hackers also may have some “limited personal informatio­n” about British and Canadian residents. The company said it doesn’t believe that consumers from any other countries were affected.

Newspapers in English

Newspapers from United States