Filed Under:Risk Management, Cybersecurity

Equifax says cyber attack may have hit 143 million customers

Ranks among the largest cybersecurity breaches in history

This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that
This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

Equifax Inc. said its systems were struck by a cybersecurity incident that may have affected about 143 million U.S. consumers, shedding light on what could be ranked as one of the largest breaches in history.

Intruders accessed names, Social Security numbers, birth dates, addresses and driver’s license numbers, Equifax said in a statement. Credit card numbers for about 209,000 consumers were also accessed, the company said. Equifax shares dropped more than 5% in after-hours trading.

CEO apology


"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Chief Executive Officer Richard Smith said in the statement.

Related: No business is totally safe from cyber attacks

The company set up a website, www.equifaxsecurity2017.com, that consumers can use to determine whether their information was compromised. It’s also offering free credit-file monitoring and identify-theft protection.

Risk to consumers


The incident is a stark reminder of the risk of consumers’ personal data being exposed online. It’s particularly worrisome for the millions of people who trust credit-reporting agencies like Equifax to handle and protect their financial information.

Criminals took advantage of a "U.S. website application vulnerability to gain access to certain files" from mid-May through July of this year, Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers.

"It’s a huge deal," said Tim Crosby, senior consultant with security-assessment firm Spohn, "You would expect these guys to have compartmentalized this data far enough away from a Web server — that there would not be any way to directly access it."

Past breaches


Equifax has been hit by breaches in the past. Experian Plc, Equifax and TransUnion, the three biggest U.S. credit-reporting companies, uncovered cases in 2013 where hackers gained illegal, unauthorized access to user information. Credit reports, purportedly on famous people ranging from Michelle Obama to Paris Hilton, were posted online in that hack.

Related: T-Mobile data on 15 million people exposed in Experian hack

This is the most high-profile cybersecurity breach since online portal Yahoo reported two separate incidents. Last year, Yahoo, whose web assets were acquired by Verizon Communications Inc. earlier this year, disclosed a 2014 breach that affected at least 500 million customer accounts. A few months later, the company said a 2013 hack siphoned email addresses, scrambled account passwords and dates of birth of as many as 1 billion users.

The Equifax breach exposed information, including Social Security and credit card numbers, that could be more valuable to bad actors and potentially more damaging to consumers.

Some U.K. and Canadian residents were also affected. The company is working with regulators in both countries. It uncovered the breach on July 29. While the company’s investigation is substantially complete, it remains open and is expected to be completed in coming weeks, Equifax said.

Related: Cyber (in)security: Can insurance solutions keep pace with threats?

The Federal Bureau of Investigation didn’t immediately respond to emails and a phone message requesting comment about its possible involvement in an investigation.  

Copyright 2017 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Related

The changing world of cyber liability insurance

As the frequency of cyber attacks reach epidemic proportion, cyber liability insurance has evolved in kind. Yet, many businesses still...

Featured Video

Most Recent Videos

Video Library ››

Top Story

5 things to know about the NAIC's new cybersecurity model law

The NAIC's newly-adopted Insurance Data Security Model Law provides guidance for carriers, agents, brokers and their business partners.

Top Story

5 insurance advisor marketing mistakes to avoid

The right marketing tactics can help insurance agents and brokers reach their goals.

More Resources

Comments

eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.