Credit reporting company Equifax announced Thursday that it had suffered a massive hack potentially affecting 143 million Americans. The company posted an explanation on its website:
Equifax Inc. today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
The announcement also included a video (see below) in which CEO Richard Smith said, “I deeply regret this incident and I apologize to every affected consumer and all of our partners.” Equifax has offered an online tool that allows individuals to see whether their information might have been compromised. You’ll need to enter your last name and the last six digits of your Social Security Number to find out.
I checked my own information and was directed to return to the site next week to finish enrolling in free credit monitoring services. However, I did not get a message saying whether my data was affected. Does that mean I wasn’t affected? Are those who were affecting being enrolled first? It’s not clear but the company does say that everyone who checks (whether affected or not) will receive the same offer to sign up for services.
CNN reports that people may not realize their information has been stored with Equifax because it was given to the company not by the individual directly but by a credit card company or retailer:
Equifax is one of three nationwide credit-reporting companies that track and rates the financial history of U.S. consumers. The companies are supplied with data about loans, loan payments and credit cards, as well as information on everything from child support payments, credit limits,missed rent and utilities payments, addresses and employer history, which all factor into credit scores.
Unlike other data breaches, not all of the people affected by the Equifax breach may be aware that they’re customers of the company. Equifax gets its data from credit card companies, banks, retailers, and lenders who report on the credit activity of individuals to credit reporting agencies, as well as by purchasing public records.
An FAQ on the site recommends, “that consumers be vigilant in reviewing their account statements and credit reports, and that they immediately report any unauthorized activity to their financial institutions.” In other words, be on the look out for suspicious credit activity in the wake of this hack.
Equifax says it hired a cyber security firm and that the incident is now “contained,” so presumably, they have people looking into where this originated. But so far I do not see any mention of who might be responsible for this massive hack.
Here’s the CEO offering his explanation and apology.