Equifax, one of the nation’s three major credit reporting firms, announced Thursday that its computer systems had been breached, leading to the unauthorized accessing of Social Security numbers and birth dates of up to 143 million U.S. consumers.
The Atlanta-based company said the intrusion — enabled by a website vulnerability — occurred from mid-May through July. The issue was discovered July 29, and the company spent recent weeks working with a cybersecurity consultant and authorities on an investigation, which is continuing.
Equifax said it launched a website for people to check whether their data were affected and to sign up for the company’s credit-monitoring services. But a form on the website purportedly offering to “check potential impact” instead just gives users a date on which they must return to Equifax’s website to enroll in credit monitoring.
The discrepancy drew quick scorn from consumers on social media. Equifax declined to comment on the issue. Several attempts to get through on a phone line that Equifax said was dedicated to consumer calls about the data breach resulted in a busy signal.
Besides Social Security numbers and birth dates, the accessed information “primarily” includes names, addresses and, in some cases, driver’s license numbers, according to the company.
The credit card numbers for 209,000 U.S. consumers were compromised, and dispute documents related to 182,000 U.S. consumers also were accessed. An unspecified number of people in Britain and Canada were affected.
Equifax has acknowledged or been linked to several previous data breaches, including much smaller incidents in 2013 and 2015.
The latest breach is potentially among the largest on record in the U.S., surpassing incidents in the last few years involving Target, T.J. Maxx and health insurer Anthem. Experian, an Equifax competitor, has suffered major breaches too.
Eric Gibbs, whose law firm is involved in a consumer lawsuit against Experian over a 2015 breach affecting 15 million people, said the Equifax situation may end up fitting into a pattern.
“The one thing that has held consistent in recent years is there’s substandard internal practices that lead to these breaches,” said Gibbs, a partner at Girard Gibbs. “Time and time again, the [breaches] are then blamed on sophisticated hackers. But the sophistication of the hacker doesn’t have to do with it, it’s the internal practices.”
Andrew Peterson, chief executive of Los Angeles Web application security start-up Signal Sciences, said that businesses have been investing more in giving consumers easier online access to tools.
"But the ease of access is what makes Web applications and services attractive to attackers as well,” Peterson said. “So Web applications are targeted more often by attackers, and when vulnerabilities are discovered, the number of records lost typically dwarfs the data lost in other types of successful attacks."
In a statement, Equifax Chairman and CEO Richard Smith vowed to increase cybersecurity spending.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” his statement said.
The company said it hasn’t found evidence that whoever got into its systems accessed its consumer or business credit reporting databases. It’s unclear why they weren’t compromised in the same way as other information.
Meanwhile, Bloomberg reported that three senior Equifax executives sold a combined $1.8 million worth of company shares in the four days following the discovery of the breach, before it was made public. None of the trades were pre-scheduled, the news agency noted, citing regulatory filings.
Equifax spokesperson Ines Gutzmer said in an email that the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
News of the breach sent Equifax shares sliding; the stock price fell more than 13%, or $18, to about $124 in trading after markets closed.
Finance and security experts recommended Thursday that people keep a close eye on their credit reports and credit card and banking accounts. Identity thieves may try to open new accounts, commit insurance fraud or steal tax refunds.
“There’s quite broad and serious potential harm over a many number of years,” said David Berger, counsel at Girard Gibbs. “It’s particularly concerning.”
5:25 p.m.: This article was updated with comment from Equifax on the sale of company shares by executives.
2:45 p.m.: This article was updated with details about discrepancies on a website Equifax set up for consumers to get information about the data breach.
2:30 p.m.: This article was updated with additional context on other data breaches and a statement from Equifax’s chief executive.
4:10 p.m.: This article was updated with comment from security experts and information about the customer service efforts at Equifax.
The article was originally published at 2:05 p.m.