WASHINGTON (REUTERS) - Equifax Inc, a provider of consumer credit scores, said on Thursday (Sept 7) that personal details of as many as 143 million US consumers were accessed by hackers between mid-May and July, in what could be one of the largest data breaches in the United States.
The company’s shares fell nearly 19 per cent in after-market trading as investors reacted to possible consequences of the exposure of sensitive data of nearly half of the US population.
Atlanta-based Equifax said in a statement that it discovered the breach on July 29. It said criminals exploited a US website application vulnerability to gain access to certain files that included names, Social Security numbers and driver’s licence numbers.
In addition, credit card numbers of around 209,000 US consumers and certain dispute documents with personal identifying information of around 182,000 US consumers were accessed. Information of some UK and Canadian residents was also gained in the hack, Equifax said.
It said in its statement that it was working with law enforcement agencies and has hired a cyber-security firm to investigate the breach. It said its investigation is “substantially complete,” and expects it will be completed in the coming weeks.
The company declined to comment beyond its statement.
The Federal Bureau of Investigation is tracking the situation, a spokesman for the agency said.
US Senator Mark Warner, vice-chairman of the Senate Select Committee on Intelligence, said in a statement that it would not be an “exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans.”
Equifax’s breach follows rival Experian Plc’s breach two years ago that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax Chief Executive Richard Smith said in a statement, adding that the company is conducting “a thorough review of our overall security operations.”
LIKELIHOOD FOR PHISHING SEEN HIGH
Cybersecurity experts said the breach was very serious. “On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data,” said Avivah Litan, a Gartner Inc analyst who tracks identity theft and fraud.
Equifax handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.
Ryan Kalember, senior vice-president of cyber security firm Proofpoint, said the hack was “especially troubling” because companies typically offer free credit monitoring services from firms such as Equifax, which has now itself suffered a huge cyber attack.
“The information is very personal – the likelihood that it could be used for phishing is very high,” said Matt Tait, a former analyst at the British intelligence service GCHQ and a cyber security researcher.