143 million affected in hack of US credit agency

Attack on Equifax is one of the largest risks to personally sensitive data in recent years

NEW YORK • Equifax, one of the three major consumer credit reporting agencies in the US, has said that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver's licence numbers.

The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cyber security threat for the agency since 2015. Equifax, based in Atlanta, is a particularly tempting target for hackers.

If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies. "This is about as bad as it gets," said Ms Pamela Dixon, executive director of the World Privacy Forum, a non-profit research group. "If you have a credit report, chances are, you may be in this breach. The chances are much better than 50 per cent."

Criminals gained access to certain files in the company's system from the middle of May to July by exploiting a weak point in the website's software, according to an investigation by Equifax and security consultants.

The company said it discovered the intrusion on July 29, and has since found no evidence of unauthorised activity on its main consumer or commercial credit reporting databases.

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers of 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken. "On a scale of 1 to 10 in terms of risk to consumers, this is a 10," said Ms Avivah Litan, a fraud analyst at Gartner.

An FBI spokesman said the agency was aware of the breach and was tracking the situation.

On Thursday, cyber security professionals criticised Equifax for not improving its security practices after those previous thefts, and they noted that thieves were able to get the company's crown jewels through a simple website vulnerability.

"Equifax should have multiple layers of controls" so if hackers manage to break in, they can at least be stopped before they do too much damage, Ms Litan said.


A version of this article appeared in the print edition of The Straits Times on September 09, 2017, with the headline '143 million affected in hack of US credit agency'. Print Edition | Subscribe