Equifax Hacked: Credit Reporting Company Breached, Could Affect 143 Million Americans

Credit reporting firm Equifax reported Thursday that it experienced a “cybersecurity incident” that exposed credit card numbers and personal information for hundreds of thousands of Americans and may affect as many as 143 million consumers in the United States.

Equifax said criminals exploited a web application vulnerability that allowed them to gain access to sensitive data. The company’s investigation found unauthorized access to the credit card numbers of approximately 209,000 and personally identifying information of approximately 182,000 U.S. consumers.

During the investigation, the company said it also identified unauthorized access to a limited amount of personal information for certain consumers located in the United Kingdom and Canada and is working with the authorities in those countries on next steps.

Equifax’s core consumer and commercial credit reporting databases are believed to be unaffected.

The credit reporting firm, which provides credit reports and other information services, said the breach occurred from mid-May through July 2017. The breach was discovered on July 29, and the company launched an investigation into the intrusion upon its discovery.

After the incident was reported by Equifax, Bloomberg reported three executives with the company sold $1.8 million worth of stock. Those sales happened just days after the breach was discovered but Equifax didn't publicly disclose the apparent breach for 40 days.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax Chairman and CEO Richard F. Smith said in a statement.

"We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."

Mike Shultz, CEO of cyber security firm Cybernance told International Business Times the Equifax breach "totally inexcusable."

"This wasn’t a technical assault—this was a simple access by hackers through web application that was not properly secured. This critical breakdown of internal defenses is no different than every major breach of significance in the past two years, but the sensitive information accessed points to extreme danger for the personal wealth and financial health of our economy," Shultz said.

Equifax claimed that it engaged with a leading, independent cybersecurity firm to conduct an assessment of its systems and provide recommendations on steps that can be taken to prevent another incident from happening in the future. It also said it is in the process of contacting U.S. state and federal regulators to report the breach.

"We see breach after breach attributed to poorly patched or ill maintained internal applications, which is ironic considering security professionals continue to predict cloud apps as the bigger security concern," Mike Schuricht, the Vice President of Product Management at cloud security firm Bitglass, told IBT.

"It's becoming more and more clear that moving to the cloud often means increased security, as the ability to adequately protect the application is an existential question for cloud app vendors," Schuricht said.

In response to the breach, Equifax said it will contact consumers who had credit card numbers or other personal information exposed with direct mail notices.

The company also launched a dedicated website to help consumers determine if they had been affected by the breach and what steps they should take to secure their personal and financial information.

Equifax is offering credit card monitoring and identity theft protection services to those who were affected by the incident. The services—which include the ability to lock and unlock Equifax credit reports, identity theft insurance and internet scanning for stolen Social Security numbers—will be provided to consumers free for one year.

It’s worth noting for those who may have been affected that they must enroll in the Equifax service by November 21 in order to be eligible. Equifax also asks consumers for the last six digits of their social security number—a piece of information some may be wary to share with a firm that just experienced a massive data breach.

Cybernance's Shultz suggested the aftermath of the breach may be devastating, suggesting that an incident so large means every family in the U.S. is affected.

"The bad guys now have your financial information, your employment history, your children’s names, what school they attend—this is a tsunami of personal risks to all U.S. citizens, not just the 44 percent who were directly affected," he said.

The cybersecurity firm CEO said the Equifax breach "goes down to the fiber of the United States, and a breach of this caliber has the potential to freeze the credit reporting system, the banking system, and do major damage to the global economies as a whole."

Matt Schultz, the senior industry analyst for CreditCards.com, told IBT the breach is "reach number 10,000 to check your online bank statements and credit card statements on a regular basis, ideally weekly."

He said that consumers need to be diligent, not just in response to a breach like the Equifax incident but at all times. "Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised. Bad guys can be very patient, so it's important to keep an eye out long after this story fades from the headlines," he said.

The analyst advised all consumers to check credit card statements, bank statements, and examine credit reports from all report bureaus on a regular basis and "if you see something, say something." He said consumers are the last line of defense against fraud.