Consumer credit reporting agency Equifax on Thursday said it suffered a major criminal data breach that exposed personal information of as many as 143 million consumers in the U.S. between mid-May and July of this year.
The attack exposed a range of sensitive personal data, including names, addresses, Social Security Numbers, dates of birth, and in some cases driver’s license numbers, Equifax said. The attackers also accessed credit card data for about 209,000 consumers and credit dispute information for about 182,000 consumers.
Further, the intruders obtained a limited amount of personal information for certain people in the UK and Canada, but Equifax did not specify how many were affected.
Picking Up the Pieces
Equifax discovered the attack on July 29 and immediately began to take action. The company contacted law enforcement agencies and hired a top independent cybersecurity firm, which has been conducting a thorough cybersecurity review in order to understand the scope of the attack and what specific information was involved.
“This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do,” said CEO Richard Smith, who apologized to consumers and business customers. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of all of our security operations.”
The company has developed a “comprehensive portfolio of services to support U.S. consumers” whether or not they were impacted directly by the incident, he added.
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine whether they were impacted by the incident, and also to sign up for complimentary credit monitoring and identity theft protection.
The package includes something called TrustedID Premier, which includes three-bureau credit monitoring of Equifax, TransUnion and Experian credit reports, copies of Equifax credit reports, the ability to lock and unlock Equifax reports, identity theft insurance and the ability to scan for compromised Social Security Numbers to see if they are on the Internet.
Further, Equifax said it will contact consumers directly by mail if their credit cards or dispute documents were compromised. The company is in the process of contacting federal and state regulators, as well as the attorneys general of all U.S. states and territories about the incident.
One of them — New York Attorney General Eric Schneiderman — on Friday issued a consumer alert.
“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” Schneiderman said.
“I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves,” he added.
Consumers can contact a dedicated call center at 866-447-7559 to determine if they have been affected by the breach. The call center is open every day (including weekends) from 7:00 a.m. to 1:00 a.m. Eastern time.
Equifax’s goal cannot be to “fix the problem and move on,” CEO Smith told the firm’s employees.
Although Equifax has made significant investments in cybersecurity, company officials recognize that they must do more, Smith said, and he promised that they will.
Ahead of the Game
The company has responded well to the attack, said Mark Nunnikhoven, vice president of cloud research at Trend Micro, noting that its CEO has issued a written and video statement accepting responsibility, it has called in outside technical expertise, and it is providing assistance for consumers.
“Equifax’s response in this situation is a great example of how to respond if a cybercriminal does manage to breach your defenses,” Nunnikhoven told TechNewsWorld.
Still, the attack appears to have exposed a vulnerability at Equifax that could challenge it from both a security and branding perspective and potentially expose it to legal jeopardy.
“Equifax needs to raise their cybersecurity score,” said Chris Morales, head of security analytics at Vectra.
“Enterprises need to realize they cannot address cybersecurity by simply spending money on intrusion prevention solutions,” he told TechNewsWorld, “and need to shift investments to detection and response solutions to thwart today’s advanced attackers.”
Several law firms — Levi & Korsinsky, Khang & Khang, Holzer & Holzer and others — already have launched investigations into potential securities law violations by Equifax. The firm’s stock plunged more than 13 percent on Friday on the news.
Consumers should check the Equifax site to find out if their data was exposed, making sure to use a secure computer with an encrypted network connection, advised Seena Gressin, attorney with the Federal Trade Commission’s Consumer and Business Education division.
They also should check all three major credit reports, using the annualcreditreport.com site and check for accounts they don’t recognize.
Consumers should consider placing a credit freeze on their files to make it harder for someone to open up an account in their name, or if they decide not to place the credit freeze, placing a fraud alert on their files, Gressin said. Consumers also should file their taxes early to avoid tax identity theft.