Britons hit as Equifax cyber attack exposes 143 million to ID theft
Credit monitoring company Equifax has been hit by a high-tech attack that exposed Social Security numbers and other sensitive information about 143 million Americans - and "limited" details of Britons and Canadians.
The Atlanta-based company, one of three major American credit bureaux, said "criminals" exploited a US website application to access files between mid-May and July this year.
The theft obtained consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driving licence numbers.
In addition to the personal information stolen in its breach, Equifax said credit card numbers for about 209,000 US consumers were also taken, as were "certain dispute documents" containing personal information for about 182,000 American individuals.
Equifax warned that hackers may also have some "limited personal information" about British and Canadian residents.
The company does not believe that consumers from any other countries were affected.
The stolen data can be enough for criminals to hijack the identities of people whose credentials were stolen through no fault of their own, potentially wreaking havoc on their lives.
Equifax said its core credit-reporting databases did not appear to have been breached.
"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan.
"Credit bureaux keep so much data about us that affects almost everything we do."
Lenders rely on the information collected by the credit bureaux to help them decide whether to approve financing for homes, cars and credit cards.
Credit checks are even sometimes done by employers when deciding whom to hire for a job.
Equifax discovered the hack on July 29, but waited until Thursday to warn consumers.
The company declined to comment on that delay or anything else beyond its published statement.
It's not unusual for US authorities to ask a company hit in a major hack to delay public notice so that investigators can pursue the perpetrators.
The company established a website, https://www.equifaxsecurity2017.com/ , where people can check to see if their personal information may have been stolen.
People can also call 866-447-7559 for more information and Experian is also offering free credit monitoring to all US consumers for a year.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chief executive Richard Smith said.
"I apologise to consumers and our business customers for the concern and frustration this causes."
The biggest data breach in history belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than one billion of its users' accounts throughout the world.
But no Social Security numbers or driving licence information were disclosed in the Yahoo break-in.
Equifax's security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person's identity in the US.
It eclipses a 2015 hack at health insurer Anthem that involved the Social Security numbers of about 80 million people.
Any data breach threatens to tarnish a company's reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.
"This really undermines their credibility," Mr Litan said, adding that it also could hurt the integrity of the information stockpiled by two other major credit bureaux, Experian and TransUnion, since they hold virtually all the data that Equifax does.
Equifax's stock dropped 13% to 124.10 dollars in extended trading after its announcement of the breach.
Three Equifax executives insulated themselves from that downturn by selling shares worth a combined 1.8 million dollars just a few days after the company discovered the breach on July 29, according to documents filed with securities regulators.
The sales, executed on August 1 and August 2, were made by John Gamble, Equifax's chief financial officer; Rodolfo Ploder, Equifax's president of workforce solutions; and Joseph Loughran, Equifax's president of US information solutions.
Bloomberg News first reported the divestitures.
In a subsequent statement, Equifax said the three executives "had no knowledge that an intrusion had occurred at the time they sold their shares".
The potential aftershocks of the Equifax breach should make it clear that Social Security numbers are becoming an unreliable way to verify a person's identity, Nathaniel Gleicher, former director of cyber security policy in the White House during the Obama administration, said.
"This breach might just have put the nail in the coffin of the idea that we can use personal identifiers like Social Security numbers as security factors," said Mr Gleicher, who now oversees cyber security strategy for computer security firm Illumio.