By Craig Timberg
Criminal hackers have acquired sensitive personal data – including Social Security numbers, birth dates and home addresses – of 143 million Americans by penetrating a web-based application for Equifax, the credit reporting agency said Thursday.
The breach, which the company said began in May, was discovered in July. Though Equifax said in a statement that "core database" were not penetrated, the attackers did gain access to a wide range of data for what appears to be a majority of American adults and some foreign consumers as well.
Social Security numbers and birthdates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes. Equifax said that it also lost control of an unspecified number of driver's licenses, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others.
"In addition to the number [of victims] being really large, the type of information that has been exposed is really sensitive," said Beth Givens, executive director of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego, California. "All in all, this has the potential to be a very harmful breach to those who are affected by it."
Equifax said it was alerting those who were affected by mail. It also set up a website, www.equifaxsecurity2017.com, to help consumers understand the breach and check whether they were affected. The company is offering one year of free credit monitoring and identity theft protection to anyone who may have been affected.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," said Chairman and Chief Executive Officer, Richard Smith said in a statement published on the company's website. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."
The company did not immediately respond to queries about what Web application was hacked nor why it waited six weeks to alert consumers about the breach.
Companies often do not immediately alerted affected people to cybersecurity incidents, prompting calls from state and federal legislators to periodically call for new laws to require more rapid and complete disclosures.