Equifax Inc., one of the three biggest credit-reporting companies, was struck by a cyberattack that left almost half the U.S. population at risk, placing it among the most intrusive security breaches in history.
Hackers exploited a website application to access names, addresses, Social Security numbers and some driver’s license numbers of potentially 143 million consumers, Equifax said Thursday in a written statement.
The incident—which drove down shares in after-hours trading—is a stark reminder of the risk of consumers’ personal data being exposed online, security experts said. It’s particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information. That kind of data is critical and could be used in multiple ways to harm consumers.
“This is massive,” said Paul Martini, CEO of Iboss, a cybersecurity firm. “This overshadows any other breach that we’ve seen to date—not just the volume, the size, but the type of data that was in that database.”
The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.
Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said.
The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.
“It’s a huge deal,” said Tim Crosby, senior consultant with security-assessment firm Spohn. “You would expect these guys to have compartmentalized this data far enough away from a web server—that there would not be any way to directly access it.”
The Federal Bureau of Investigation said in a statement that it was aware of the hacking incident and was “tracking the situation as appropriate.”
Equifax and the other large credit-data brokers—United Kingdom-based Experian Plc and Chicago-based TransUnion—have fought a public-relations and regulatory battle for years to present themselves as responsible stewards of the personal information for hundreds of millions of Americans. Critics including U.S. Sen. Elizabeth Warren, a Massachusetts Democrat, have taken aim at errors that affect people’s ability to secure home loans, credit cards and reasonable interest rates.
U.S. Sen. Mark Warner, a Virginia Democrat, said the attack should spur renewed interest in stronger data-breach notification standards as well as policies to improve the protection of consumers’ data.
“It is no exaggeration to suggest that a breach such as this—exposing highly sensitive personal and financial information central for identity management and access to credit—represents a real threat to the economic security of Americans,” Warner said in a written statement.
Concerns about their digital security have periodically come into focus, in high-profile breaches including an incident in 2013 in which all three companies said they uncovered cases where hackers used personal information on famous people from Michelle Obama to Paris Hilton to access their credit reports and post the documents online. That year, cybersecurity reporter and blogger Brian Krebs published an account of how an identity thief in Vietnam ran a service that helped others access millions of Americans’ credit reports from Experian, via a subsidiary company.
When breaches have occurred, they often aren’t widely known. Some of the credit companies have disclosed security breaches in the quietest way possible—by alerting affected consumers directly, by mail—as required under state breach-disclosure laws, but not issuing wider public statements to consumers or investors.
Bloomberg News reported in 2012 that Experian was breached 86 times via accounts at clients such as banks or auto dealers, with hackers downloading in some cases hundreds of credit reports while the businesses were closed.
The attack reported Thursday is the most high-profile cybersecurity breach since online portal Yahoo announced two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc. earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.
Financial industry impact
Equifax’s breach will test measures the financial industry has rolled out to prevent thieves from abusing troves of stolen credit-card numbers. A few years ago, banks in the U.S. began embedding computer chips on cards to prevent criminals from forging their own with much simpler magnetic stripes.
The underlying technology—called EMV for founders Europay, MasterCard and Visa—generates new codes for each transaction. The codes on stripes are static, making them susceptible to duplication. Still, stolen card numbers can be useful at cash registers that don’t accept chips or for shopping online.
The Equifax breach also may open the way for another type of fraud called synthetic identity theft. Typically, fraudsters mix stolen Social Security numbers, and potentially other information from the owners, with a borrowed mailing address and apply for new credit cards that they control. Some patient con artists even use the new personas to seek additional credit cards or loans, then max them all out at once, potentially making off with tens of thousands of dollars.
Banks typically pick up the cost when thieves abuse stolen card numbers, assuming it’s caught promptly. The expenses can add up fast.
Rising costs of hacks
Over the past four years, financial firms spent an average of $222 per affected customer after suffering breaches, according to a study published by the Ponemon Institute this year for International Business Machines Corp. The tally includes a variety of expenses, covering everything from forensic investigations to customer support hotlines.
The number has been climbing. When releasing the report in June, the authors projected it would reach $245 per customer this year.
Some U.K. and Canadian residents were also affected in the incident reported Thursday. Equifax said it’s working with regulators in both countries. It uncovered the breach on July 29. While the company’s investigation is substantially complete, it remains open and is expected to be completed in coming weeks, Equifax said.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” CEO Richard Smith said.