Equifax Inc. announced Sep. 7 that it was the victim of a data breach that potentially exposed personally identifiable information of about 143 million U.S. consumers.
Though Equifax disclosed the breach on Sep. 7, the company admitted that the breach was discovered more than a month ago, on July 29. According to Equifax, once the unauthorized access of its systems was discovered, the intrusion and the attackers were blocked. Based on the company’s initial forensic investigation however, the attackers had access to Equifax’s systems for a two month period, from mid-May through July 2017.
According to Equifax, the attackers were able to obtain names, Social Security numbers, birth dates, addresses and driver’s license numbers for 143 million American consumers. Beyond that trove of information, Equifax has determined that approximately 209,000 consumer credit card numbers were also stolen in the breach.
While American consumers are at risk, so too are Canadian and UK residents. The breach of Canadian and UK consumer information however is significantly less severe, with Equifax noting that the non-U.S. consumer information loss was limited.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Chairman and Chief Executive Officer, Richard F. Smith, said in a statement. “I apologize to consumers and our business customers for the concern and frustration this causes.”
It is not currently clear how the attackers were able to gain unauthorized access to the Equifax systems. Equifax has also not specifically identified the application vulnerability used to carry out the attack or the actual database that was breached. In an FAQ on the breach, Equifax stated that, “criminals exploited a U.S. website application vulnerability to gain access to certain files.”
Given the vast impact of the breach, Equifax has setup a website service where consumer can easily check to see if their personal information was lost in the attack. Equifax is also offering impacted consumers free credit monitoring and identity theft protection, with its own TrustedID Premier service, which monitors data from Equifax, Experian and TransUnion credit reports
Equifax has engaged with an undisclosed cyber-security firm to perform a forensic investigation and the company is also working with law enforcement to find those responsible for the attack. Equifax’s CEO has also pledged to improve his company’s security to help prevent any future attacks.
“We all know that the threats to data security are growing by the day,” Smith said in a video message. “While we have made significant investments in cyber-security, we have more to do.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.