Equifax, one of the nation’s three largest credit reporting agencies, revealed Thursday that it was the victim of a “cybersecurity incident” that potentially impacts as many as 143 million U.S. consumers.
According to information from the company, “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
Those files includes the names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers, of approximately 143 million consumers, Equifax stated.
In addition, the company said that the credit card numbers of approximately 209,000 U.S. consumers, and “certain dispute documents with personal identifying information” for approximately 182,000 U.S. consumers, were also accessed in the breach.
The company said that its investigation did not find any evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
According to the company, an investigation found that the unauthorized access took place between mid-May and July 2017.
The company said that it discovered the unauthorized access on July 29, 2017, and “acted immediately to stop the intrusion.”
From there, the company said that it engaged an independent cybersecurity firm to conduct a “comprehensive forensic review” to determine how bad the breach was, including the specific data that was accessed.
Equifax said that it also reported the unauthorized access to law enforcement and continues to work with authorities.
The company said that its investigation is “substantially complete,” but remains open, and is expected to be completed in the coming weeks.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax Chairman and Chief Executive Officer Richard Smith said.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” Smith continued. “We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
The company said that its investigation also found unauthorized access to “limited personal information” for certain U.K. and Canadian residents.
Equifax said that it will work with U.K. and Canadian regulators to determine appropriate next steps for those consumers. The company said that it has found no evidence thus far that personal information of consumers in any other country was part of the breach.
In the wake of the breach, the company set up a website (equifaxsecurity2017.com) for consumers to gather more information about the breach and see if their personal information may be impacted by the breach.
On the site, consumers can also sign up for credit file monitoring and identity theft protection, which will be provided by Equifax for one year.
Here are more details on what the company is offering for the affected consumers:
The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.
The company said that it has also engaged an independent cybersecurity firm to review its systems and provide recommendations on what the company can do to ensure that a similar incident doesn’t take place again in the future.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” Smith said. “Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”