Credit rating company Equifax has revealed today that its databases had been hacked. In a statement, the company confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29.
According to Equifax, hackers exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
Chairman and Chief Executive Officer, Richard F. Smith stated,
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,”
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards and more.
Gartner security analyst Avivah Litan commented,
“On a scale of one to 10, this is a 10 in terms of potential identity theft,”
“Credit bureaus keep so much data about us that affects almost everything we do.”
Any data breach threatens to tarnish a company’s reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.
“This really undermines their credibility. It also could undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does”
In addition to the personal information stolen in its breach, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were “certain dispute documents” containing personal information for approximately 182,000 U.S. individuals.
CEO Smith said,
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
In response to the debacle, Equifax is offering every US citizen a year’s free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.
The irony here is that the identity theft detection service will be supplied by Equifax themselves and and if you want to check you’re affected by the hack, you need to supply your last name and last six digits of your social security number. So, you are required to submit personal info to the company that lost your info to find out if your info has been accessed. Of course, this is no use to users in the UK or Canada.
The UKs data watchdog is investigating the major data breach. It is unclear how many UK users have been affected, but the Information Commissioner’s Office (ICO) said it is working with Equifax to establish the extent of the problem.
James Dipple-Johnstone, ICO deputy commissioner said,
“Reports of a significant data loss at US-based Equifax and the potential impact on some UK customers gives us cause for concern,”
“We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.”
The watchdog has urged Equifax to alert affected UK customers as soon as possible, and said it will work with the relevant overseas authorities on behalf of British citizens.