Credit information firm Equifax has revealed that 143m US customers’ data has been stolen.
In a major cyber breach at Equifax, hackers have stolen names, birthdates, social security numbers, addresses and driver licence numbers of 143m people, a large portion of the US population.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” said chair and CEO Richard F Smith.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident.
Equifax shares tumbled 13pc in overnight trading.
Here’s what you need to know.
1. Equifax is one of the biggest suppliers of credit information on the planet
Founded 118 years ago in 1899, Atlanta-headquartered Equifax is one of the three largest US credit agencies along with Experian and TransUnion. Equifax gathers and maintains information on more than 800m consumers and 88m businesses globally. It employs 9,500 people worldwide.
Equifax’s ties to Ireland extend back to the opening of an office in Wexford in 1994. Last year, the company opened a new R&D operation at Sir John Rogerson’s Quay in Dublin and announced plans to hire 100 new staff in “highly skilled R&D positions”. Siliconrepublic.com previously interviewed the company’s CIO, David Webb.
2. Cyberattackers accessed personal details
Included in the massive data haul are around 209,000 US credit card numbers.
It is understood that criminals exploited a US website application vulnerability to gain access to files.
“The information accessed primarily includes names, social security numbers, birthdates, addresses and, in some instances, driver’s licence numbers,” Equifax said in a statement.
“In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorised access to limited personal information for certain UK and Canadian residents.
“Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.”
3. The breach was first discovered more than a month ago
Equifax discovered the unauthorised access on 29 July this year and said it acted immediately to stop the intrusion.
The company engaged a leading, independent cybersecurity firm, which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement. “While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.”
Brian Krebs of Krebs on Security believes it is possible the hackers got in because Equifax may have failed to update its security measures.
“That the intruders were able to access such a large amount of sensitive consumer data via a vulnerability in the company’s website suggests Equifax may have fallen behind in applying security updates to its internet-facing web applications. Although the attackers could have exploited an unknown flaw in those applications, I would fully expect Equifax to highlight this fact if it were true – if for no other reason than doing so might make them less culpable and appear as though this was a crime which could have been perpetrated against any company running said web applications.”
4. How you can determine if you are a victim
Equifax has established a dedicated website to help consumers determine if their information has been potentially impacted, and to sign up for credit file monitoring and identity theft protection.
The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and internet scanning for social security numbers – all complimentary to US consumers for one year. The website also provides additional steps consumers can take to protect their personal information.
Equifax said it will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted.
5. This is the latest in a number of high-profile cyber breaches to rock the US
This isn’t the first time Equifax had its systems breached. In 2013, it emerged that hackers gained illegal access to user information at Equifax, Experian and TransUnion, including details belonging to famous people, ranging from Michelle Obama to Paris Hilton.
Last year, Yahoo – acquired by Verizon earlier this year – disclosed a 2014 breach that affected at least 500m accounts. A few months later, Yahoo announced an earlier breach in 2013, which saw hackers siphon the email addresses, account passwords and dates of birth of 1bn users.
6. Three Equifax executives sold shares after the breach was found
While unrelated, the fact that three senior executives innocently sold stock in Equifax just after the breach was found only makes things look murkier.
It is believed that the trio were uninformed about the breach, and therefore meant no harm, with the selling of stock a commonplace activity among executives at public US companies. Regulatory filings show that CFO John Gamble sold shares worth $946,374, and Joseph Loughran, president of US information solutions, exercised options to dispose of stock worth $584,099. Meanwhile, Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on 2 August, according to Bloomberg.
In a statement, Equifax emphasised that the executives had “no knowledge that an intrusion had occurred at the time”.