Equifax said driver’s license numbers might also have been exposed in some cases, along with credit card numbers of about 209,000 Americans and “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.” The unauthorized access also compromised some personal information for an undisclosed number of residents of the United Kingdom and Canada, Equifax said.
In a short video posted on a specially created website for the breach, Equifax Chairman and CEO Rick Smith said the breach “strikes at the core of who we are and what we do.”
“I deeply regret this incident and I apologize to every affected consumer and all of our partners,” he said. “We all know that the threats to data security are growing by the day. And while we’ve made significant investments in cybersecurity, we have more to do and we will.”
Equifax provides a range of service, but Smith said in the video the review “found no evidence of unauthorized activity on our core credit reporting databases.”
Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm to investigate, the company said, and conduct a forensic review. That review, which the company described as “substantially complete,” is expected to be finished in a manner of weeks.
Equifax reported the cyber-attack to law enforcement and said the company is cooperating with authorities and regulators.
Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
An Equifax spokeswoman declined to provide further comment.
Givens said it is a dispiriting irony that Equifax is one of the three major credit reporting companies and offers services to protect consumers’ identities. The company holds enormous caches of information about every American and people across the globe.
“This is a terribly depressing message, but I think that people just need to assume that their personal data and their financial data is compromised all the time,” privacy rights advocate Givens said. “That’s why it’s so important to obtain three credit reports each year, keep track of financial accounts on a regular basis.”
Channel 2 Consumer Advisor Clark Howard called the breach the worst in the modern era.
“This is as bad and as thorough as any data breach I can ever recall,” Howard said. “This is very disturbing to me that this happened in July and it has been kept a secret from us since that time.”
Equifax is best known for its credit reporting business, but the company is much larger today after a string of acquisitions.
Banks use Equifax’s data and services to verify who you are and whether or not a consumer is credit worthy.
Equifax businesses include Talx, which helps employers file unemployment claims and screens hires for companies, IXI, a wealth information database, and Anakam, a technology company that provides unique identity security products and contracts with the government and health care companies.
Equifax said it manages and analyzes data for more than 820 million consumers and 91 million businesses worldwide and operates in 24 counties.
The company reported $856.7 million in revenue in the second quarter of 2017, up 6 percent from the same period a year ago. Net income was $165.4 million in the quarter ended June 30.
The company has set up a website, www.equifaxsecurity2017.com, for additional information and to access credit monitoring and identity theft protection services.
Equifax said it would provide a free one-year package of credit monitoring and ID protection, which CEO Smith called an unprecedented step.
But Howard said consumers should consider a credit freeze.
A freeze prevents new lines of credit from being created in a consumer’s name.
“Any other step will not help you in a breach this thorough,” he said.
Staff writer Russell Grantham contributed to this report.
Notable hacks in recent history
Data breaches by hackers or through bureaucratic mistakes have been an all-too-frequent event in which the personal information of millions of people have ended up compromised or in thieves’ hands.
Here’s a listing of some of the more recent cases:
Yahoo discloses that half billion users' accounts have been compromised in cyber attacks dating back to 2014.
March 2016: Los Angeles hospital chain MedStar discloses that it paid hackers $17,000 to regain control of its computer system containing the records of nearly 80 million people maintained by the health insurer Anthem.
Georgia Secretary of State Brian Kemp acknowledges that the agency illegally disclosed the Social Security numbers and other private information of more than 6 million registered voters to a dozen organizations that subscribe to voter lists.
Medical Informatics Engineering, an Indiana medical software company, disclosed that hackers got private information of 3.9 million people nationwide.
June 2015: Hackers linked to China appear to have gained access to sensitive background information on up to 14 million
U.S. intelligence and military personnel submitted for security clearances, according to several U.S. officials.
Anthem, the nation's second-largest health insurer and parent company of Blue Cross-Blue Shield of Georgia, suffered a data breach in which as many as 80 millioncustomers may have had their account information and Social Security numbers stolen.
December 2014: Hackers believed to be linked to North Korea breached Sony's email systems, got employee data and put several as-yet-unreleased films on the Internet.
November 2014: The U.S. Postal Service disclosed a major data theft that "potentially compromised" databases containing postal employees' names, birth dates, addresses and Social Security numbers.
Home Depot confirms that hackers got more than 50 million credit or debit card numbers from its payment systems.
Coca-Cola discloses that least 74,000 current and former Coca-Cola employees may have been compromised after company laptops were stolen, including Social Security numbers for about 18,000 people.
Nieman Marcus discloses that hackers got account information on 1.1 million credit and debit cards.
Target discloses that thieves got personal information on 70 million people in late 2013, on top of an earlier disclosure that hackers also got debit and credit card information on up to 40 million shoppers.
Resources for consumers
Equifax said it would provide a free one-year package of credit monitoring and ID protection services: https://www.equifaxsecurity2017.com/
Privacy Rights Clearinghouse: https://www.privacyrights.org/consumer-guides/what-do-when-you-receive-data-breach-notice
Federal Trade Commission: https://www.identitytheft.gov/Info-Lost-or-Stolen