Credit reporting firm Equifax said its systems were struck by a cyberattack that may have affected about 143 million US customers, shedding light on one of the largest and most intrusive breaches in history.
While Equifax’s EU data hub is based in Ireland, it is unclear yet whether any Irish consumers have been affected, according to Brian Honan, an IT security expert.
Some UK and Canadian residents were, however, reported to be affected. The company is working with regulators in both countries. It uncovered the breach on July 29th. While the company’s investigation is substantially complete, it remains open and is expected to be completed in coming weeks, Equifax said.
Intruders accessed names, social security numbers, birth dates, addresses and driver’s licence numbers, Equifax said in a statement. Credit card numbers for about 209,000 consumers were also accessed, the company said. Equifax shares dropped more than 8 percent in after-hours trading.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” chief executive officer Richard Smith said.
The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.
The incident is a stark reminder of the risk of consumers’ personal data being exposed online. It’s particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information.
Criminals took advantage of a “US website application vulnerability to gain access to certain files” from mid-May through July of this year, Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers.
“It’s a huge deal,” said Tim Crosby, senior consultant with security-assessment firm Spohn, “You would expect these guys to have compartmentalised this data far enough away from a web server – that there would not be any way to directly access it.”
Equifax has been hit by breaches in the past. Experian, Equifax and TransUnion, the three biggest US credit-reporting companies, uncovered cases in 2013 where hackers gained illegal, unauthorised access to user information. Credit reports, purportedly on famous people ranging from Michelle Obama to Paris Hilton, were posted online in that hack.
This is the most high-profile cybersecurity breach since online portal Yahoo reported two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as one billion users.
The Equifax breach exposed information, including social security and credit card numbers, that could be more valuable to bad actors and potentially more damaging to consumers.
The Federal Bureau of Investigation didn’t immediately respond to emails and a phone message requesting comment about its possible involvement in an investigation.
– Bloomberg