Atlanta-based credit reporting and technology company Equifax said Thursday a “cyber security incident” may have exposed to criminals the personal information, including Social Security numbers, of 143 million U.S. consumers.
The personal information said to have been accessed — also including, names, birth dates and addresses — is some of the most sensitive possible, and could leave consumers vulnerable to identity theft and financial fraud for years, experts said. Personal identity information can be used over and over and fetch high prices among criminals.
Cyber thieves have hacked a number of high-profile targets in recent years, including payment systems at Home Depot, the accounts of a half-billion Yahoo users and even taxpayer data held by the Internal Revenue Service.
But what was accessed by hackers this time — what amounts to half of the adult population of the U.S. — is far more expansive.
“The sensitivity of the information is particularly significant,” said Beth Givens, executive director of Privacy Rights Clearinghouse in California. “Just all in all, the data elements that have been compromised collectively are extremely useful to ID thieves and other types of crooks.”
Equifax said driver’s license numbers might also have been exposed in some cases, along with credit card numbers of about 209,000 Americans and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” The unauthorized access also compromised some personal information for an undisclosed number of residents of the United Kingdom and Canada, Equifax said.
In a short video posted on a specially created website for the breach, Equifax Chairman and CEO Rick Smith said the breach “strikes at the core of who we are and what we do.”
“I deeply regret this incident and I apologize to every affected consumer and all of our partners,” he said. “We all know that the threats to data security are growing by the day. And while we’ve made significant investments in cybersecurity, we have more to do and we will.”
Equifax provides a range of service, but Smith said in the video the review “found no evidence of unauthorized activity on our core credit reporting databases.”
Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm to investigate, the company said, and conduct a forensic review. That review, which the company described as “substantially complete,” is expected to be finished in a manner of weeks.
Equifax reported the cyber-attack to law enforcement and said the company is cooperating with authorities and regulators.
Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
An Equifax spokeswoman declined to provide further comment.
Givens said it is a dispiriting irony that Equifax is one of the three major credit reporting companies and offers services to protect consumers’ identities. The company holds enormous caches of information about every American and people across the globe.
“This is a terribly depressing message, but I think that people just need to assume that their personal data and their financial data is compromised all the time,” privacy rights advocate Givens said. “That’s why it’s so important to obtain three credit reports each year, keep track of financial accounts on a regular basis.”
Channel 2 Consumer Advisor Clark Howard called the breach the worst in the modern era.
“This is as bad and as thorough as any data breach I can ever recall,” Howard said. “This is very disturbing to me that this happened in July and it has been kept a secret from us since that time.”
Equifax is best known for its credit reporting business, but the company is much larger today after a string of acquisitions.
Banks use Equifax’s data and services to verify who you are and whether or not a consumer is credit worthy.
Equifax businesses include Talx, which helps employers file unemployment claims and screens hires for companies, IXI, a wealth information database, and Anakam, a technology company that provides unique identity security products and contracts with the government and health care companies.
Equifax said it manages and analyzes data for more than 820 million consumers and 91 million businesses worldwide and operates in 24 counties.
The company reported $856.7 million in revenue in the second quarter of 2017, up 6 percent from the same period a year ago. Net income was $165.4 million in the quarter ended June 30.
The company has set up a website, www.equifaxsecurity2017.com, for additional information and to access credit monitoring and identity theft protection services.
Equifax said it would provide a free one-year package of credit monitoring and ID protection, which CEO Smith called an unprecedented step.
But Howard said consumers should consider a credit freeze.
A freeze prevents new lines of credit from being created in a consumer’s name.
“Any other step will not help you in a breach this thorough,” he said.
Staff writer Russell Grantham contributed to this report.
Notable hacks in recent history
Data breaches by hackers or through bureaucratic mistakes have been an all-too-frequent event in which the personal information of millions of people have ended up compromised or in thieves’ hands.
Here’s a listing of some of the more recent cases:
September 2016: Yahoo discloses that half billion users’ accounts have been compromised in cyber attacks dating back to 2014.
March 2016: Los Angeles hospital chain MedStar discloses that it paid hackers $17,000 to regain control of its computer system containing the records of nearly 80 million people maintained by the health insurer Anthem.
November 2015: Georgia Secretary of State Brian Kemp acknowledges that the agency illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters to a dozen organizations that subscribe to voter lists.
August 2015: Medical Informatics Engineering, an Indiana medical software company, disclosed that hackers got private information of 3.9 million people nationwide.
June 2015: Hackers linked to China appear to have gained access to sensitive background information on up to 14 million U.S. intelligence and military personnel submitted for security clearances, according to several U.S. officials.
February 2015: Anthem, the nation’s second-largest health insurer and parent company of Blue Cross-Blue Shield of Georgia, suffered a data breach in which as many as 80 millioncustomers may have had their account information and Social Security numbers stolen.
December 2014: Hackers believed to be linked to North Korea breached Sony’s email systems, got employee data and put several as-yet-unreleased films on the Internet.
November 2014: The U.S. Postal Service disclosed a major data theft that “potentially compromised” databases containing postal employees’ names, birth dates, addresses and Social Security numbers.
September 2014: Home Depot confirms that hackers got more than 50 million credit or debit card numbers from its payment systems.
January 2014: Coca-Cola discloses that least 74,000 current and former Coca-Cola employees may have been compromised after company laptops were stolen, including Social Security numbers for about 18,000 people.
January 2014: Nieman Marcus discloses that hackers got account information on 1.1 million credit and debit cards.
January 2014: Target discloses that thieves got personal information on 70 million people in late 2013, on top of an earlier disclosure that hackers also got debit and credit card information on up to 40 million shoppers.
Resources for consumers
Equifax said it would provide a free one-year package of credit monitoring and ID protection services: https://www.equifaxsecurity2017.com/
Privacy Rights Clearinghouse: https://www.privacyrights.org/consumer-guides/what-do-when-you-receive-data-breach-notice
Federal Trade Commission: https://www.identitytheft.gov/Info-Lost-or-Stolen
Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.
Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.