Credit monitoring company Equifax Inc. said its systems were struck by a cyberattack that may have affected about 143 million U.S. customers of the credit reporting agency, shedding light on one of the largest and most intrusive breaches in history.
Intruders accessed names, Social Security numbers, birth dates, addresses and driver’s license numbers, Equifax said in a statement. Credit card numbers for about 209,000 consumers were also accessed, the company said.
The company set up a website, equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.
Regulatory filings show that three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered the security breach.
The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2.
None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.
The hacking incident is a stark reminder of the risk of consumers’ personal data being exposed online. It’s particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information.
Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers.
“It’s a huge deal,” said Tim Crosby, senior consultant with security-assessment firm Spohn. “You would expect these guys to have compartmentalized this data far enough away from a Web server — that there would not be any way to directly access it.”
Equifax has been hit by breaches in the past. Experian Plc, Equifax and TransUnion, the three biggest U.S. credit-reporting companies, uncovered cases in 2013 where hackers gained illegal, unauthorized access to user information. Credit reports, purportedly on famous people ranging from Michelle Obama to Paris Hilton, were posted online in that hack.
This is the most high-profile cybersecurity breach since online portal Yahoo reported two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc. earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.
The Equifax breach exposed information, including Social Security and credit card numbers, that could be more valuable to bad actors and potentially more damaging to consumers.
Some U.K. and Canadian residents were also affected. The company is working with regulators in both countries. It uncovered the breach on July 29. While the company’s investigation is substantially complete, it remains open and is expected to be completed in coming weeks, Equifax said.
The Federal Bureau of Investigation didn’t immediately respond to emails and a phone message requesting comment about its possible involvement in an investigation.