Credit reporting service Equifax announced on Thursday that it fell victim to a data breach on July 29 affecting 143 million US customers. The breach may be the largest in the US, affecting almost half of the country’s population.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the company says in a press release. “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
Private data stolen in the breach includes Social Security numbers, addresses, birth dates and driver’s license data, plus credit card information of 209,000 US consumers. Customers should be vigilant for scams using the stolen data. Unauthorized access was also detected for some customers in the UK and Canada.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
The announcement led to numerous complaints from customers on Twitter, demanding to know why the breach wasn’t announced earlier and why Equifax executives sold $1.8 million worth of shares shortly after the breach was identified, writes Bloomberg. The company replied the executives “had no knowledge that an intrusion had occurred at the time.”
After the breach was announced, customers were asked to visit a website where they could check if their data had been leaked, and reach out to customer service phone lines. To check if their details were stolen, customers had to again give away personal information on the website, leading to further criticism of the company’s approach to addressing the hack as soon as possible.