Equifax Inc. said its systems were struck by a cyberattack that may have affected about 143 million U.S. customers of the credit reporting agency, shedding light on one of the largest and most intrusive breaches in history.
Intruders accessed names, Social Security numbers, birth dates, addresses and driver’s license numbers, Equifax said in a statement. Credit card numbers for about 209,000 consumers were also accessed, the company said. Equifax shares dropped more than 8 percent in after-hours trading.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Chief Executive Officer Richard Smith said.
The company set up a website, http://www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.
The incident is a stark reminder of the risk of consumers’ personal data being exposed online. It’s particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information.
Criminals took advantage of a "U.S. website application vulnerability to gain access to certain files" from mid-May through July of this year, Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers.
"It’s a huge deal," said Tim Crosby, senior consultant with security-assessment firm Spohn, "You would expect these guys to have compartmentalized this data far enough away from a Web server -- that there would not be any way to directly access it."
Equifax has been hit by breaches in the past. Experian Plc, Equifax and TransUnion, the three biggest U.S. credit-reporting companies, uncovered cases in 2013 where hackers gained illegal, unauthorized access to user information. Credit reports, purportedly on famous people ranging from Michelle Obama to Paris Hilton, were posted online in that hack.
This is the most high-profile cybersecurity breach since online portal Yahoo reported two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc. earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.
The Equifax breach exposed information, including Social Security and credit card numbers, that could be more valuable to bad actors and potentially more damaging to consumers.
Some U.K. and Canadian residents were also affected. The company is working with regulators in both countries. It uncovered the breach on July 29. While the company’s investigation is substantially complete, it remains open and is expected to be completed in coming weeks, Equifax said.
The Federal Bureau of Investigation didn’t immediately respond to emails and a phone message requesting comment about its possible involvement in an investigation.