Personal details of 143 million people in the US were potentially leaked during “a cybersecrutiy incident”, NYSE-listed credit reporting agency Equifax revealed today.
The company has blamed a “US website application vulnerability” for the breach.
“The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers,” the company said in a statement.
“In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.”
The company said that information of some UK and Canadian residents was also accessed during the breach, which it discovered on 29 July. The hackers had access to Equifax data from “mid-May” until the company discovered the breach.
The company said it has not discovered any evidence of unauthorised activity on its core consumer and commercial credit reporting databases.
An independent cyber security firm has been conducting a forensic review of the intrusion to determine its scope. Equifax expects the review to be completed “in the coming weeks”. The hack has also been reported to law enforcement agencies.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax chairperson and CEO Richard F. Smith said in a statement.
“I apologise to consumers and our business customers for the concern and frustration this causes.”
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” the CEO said.
The company has established a website — https://www.equifaxsecurity2017.com/ — for people potentially affected by the incident.
Smith said that Equifax would offer a “comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident”.