Atlanta-based credit reporting and technology company Equifax said Thursday a “cyber security incident” may have exposed to criminals the personal information, including Social Security numbers, of 143 million U.S. consumers.
The personal information said to have been accessed — also including, names, birth dates and addresses — is some of the most sensitive possible, and could leave consumers vulnerable to identity theft and financial fraud for years, experts said. Personal identity information can be used over and over and fetch high prices among criminals.
Cyber thieves have hacked a number of high-profile targets in recent years, including payment systems at Home Depot, the accounts of a half-billion Yahoo users and even taxpayer data held by the Internal Revenue Service.
But what was accessed by hackers this time — what amounts to half of the adult population of the U.S. — is far more expansive.
“The sensitivity of the information is particularly significant,” said Beth Givens, executive director of Privacy Rights Clearinghouse in California. “Just all in all, the data elements that have been compromised collectively are extremely useful to ID thieves and other types of crooks.”
Equifax said driver’s license numbers might also have been exposed in some cases, along with credit card numbers of about 209,000 Americans and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” The unauthorized access also compromised some personal information for an undisclosed number of residents of the United Kingdom and Canada, Equifax said.
In a short video posted on a specially created website for the breach, Equifax Chairman and CEO Rick Smith said the breach “strikes at the core of who we are and what we do.”
“I deeply regret this incident and I apologize to every affected consumer and all of our partners,” he said. “We all know that the threats to data security are growing by the day. And while we’ve made significant investments in cybersecurity, we have more to do and we will.”
Equifax provides a range of service, but Smith said in the video the review “found no evidence of unauthorized activity on our core credit reporting databases.”
Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm to investigate, the company said, and conduct a forensic review. That review, which the company described as “substantially complete,” is expected to be finished in a manner of weeks.
Equifax reported the cyber-attack to law enforcement and said the company is cooperating with authorities and regulators.
Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
An Equifax spokeswoman declined to provide further comment.
Givens said it is a dispiriting irony that Equifax is one of the three major credit reporting companies and offers services to protect consumers’ identities. The company holds enormous caches of information about every American and people across the globe.
“This is a terribly depressing message, but I think that people just need to assume that their personal data and their financial data is compromised all the time,” privacy rights advocate Givens said. “That’s why it’s so important to obtain three credit reports each year, keep track of financial accounts on a regular basis.”
Channel 2 Consumer Advisor Clark Howard called the breach the worst in the modern era.
“This is as bad and as thorough as any data breach I can ever recall,” Howard said. “This is very disturbing to me that this happened in July and it has been kept a secret from us since that time.”
Equifax is best known for its credit reporting business, but the company is much larger today after a string of acquisitions.
Banks use Equifax’s data and services to verify who you are and whether or not a consumer is credit worthy.
Equifax businesses include Talx, which helps employers file unemployment claims and screens hires for companies, IXI, a wealth information database, and Anakam, a technology company that provides unique identity security products and contracts with the government and health care companies.
Equifax said it manages and analyzes data for more than 820 million consumers and 91 million businesses worldwide and operates in 24 counties.
The company reported $856.7 million in revenue in the second quarter of 2017, up 6 percent from the same period a year ago. Net income was $165.4 million in the quarter ended June 30.
The company has set up a website, www.equifaxsecurity2017.com, for additional information and to access credit monitoring and identity theft protection services.
Equifax said it would provide a free one-year package of credit monitoring and ID protection, which CEO Smith called an unprecedented step.
But Howard said consumers should consider a credit freeze.
A freeze prevents new lines of credit from being created in a consumer’s name.
“Any other step will not help you in a breach this thorough,” he said.
Staff writer Russell Grantham contributed to this report.