Global credit monitoring firm Equifax has announced it has suffered a data breach affecting 143 million Americans, almost half of the US population.
The firm said in a statement that hackers had been in its systems as early as mid-May and gained access to some internal data by exploiting a vulnerable website application.
Some security pundits on Twitter have opined that due to the amount of information, the type of vulnerability which let the hackers in is likely to be a SQL Injection, which was used to steal information from telecoms provider TalkTalk back in 2016.
Equifax is investigating the breach, and said it is working hand in hand with the FBI and regulators to find the criminals behind the attack.
Chief executive Richard Smith released a video of himself addressing customers in which he says the company’s core consumer and commercial credit reporting databases were not affected.
However, the name, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers of 143 million Americans were exposed.
Not only this: around 209,000 US consumers had their credit card numbers stolen, in addition to 182,000 customers who have had dispute documents with some PII on them stolen.
Putting it aptly, Smith said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” and added “I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
Similar to the Experian breach, Equifax has offered those affected by the breach free identity theft monitoring for those who apply, and here’s the kicker, this only applies to US citizens as to check if you’ve been affected you have to supply your last name and your social security number, which Equifax just lost.
To help facilitate this process of dishing out free identity theft monitoring, the company registered the domain – www.equifaxsecurity2017.com – this in itself hasn’t gone well with many reporting on social media that they had struggled to reach the website, but others pointing out that someone had already also registered the domain – www.equifaxsecurity2018.com – to try and cash in the flurry within which Equifax customers will be to check the status of their information when in actual fact they will most likely end up at a carefully crafted phishing website designed to steal their personal information for a second time.
Equifax says it has enlisted the service of a cyber-security firm to lock down its systems and investigate the event and gather evidence so they get a better understanding of what had been stolen and who might have done it.
Smith says his company will not stop until their servers are secure: “I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” and added, “Confronting cyber-security risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
Many are now asking questions on why executives at the company dumped Equifax stock before the reporting of the breach, which itself was delayed by 41 days, raising further questions about why Equifax delayed the reporting of the breach to US authorities.
Filings at the US Securities and Exchange Commission (SEC) show that Chief Financial Officer John Gamble made $946,374 on the sale, U.S. Information Solutions President Joseph Loughran made $584,099 and Consumer Information Solutions President Rodolfo Ploder earned $250,458.
Equifax told both The Guardian and Gizmodo that the executives had no idea the breach had happened at the time of sale of the stocks.
The UK’s Information Commissioner’s Office has released a statement to advise “Equifax to alert affected UK customers at the earliest opportunity.”
Deputy Commissioner James Dipple-Johnstone said: “Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern. We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.”
By Roi Perez