Hackers stole a treasure trove of financial data from a top credit-reporting company, potentially exposing the personal information of roughly half the US population.
Equifax said Thursday that thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million people.
The number of affected people is roughly half of the US population of 323 million. The number reported by Equifax doesn't include victims from around the world.
"This is clearly a disappointing event and one that strikes at the heart of who we are and what we do," Equifax CEO Rick Smith said in a video released Thursday. In a separate statement, Equifax said it is working with law enforcement on an investigation.
The breach, which was particularly potent because one company held such a large amount of sensitive information, is among the largest in US history and the biggest known leak of 2017. Yahoo lost data on roughly a record 1 billion accounts in 2013, the web portal said last year.”
Worried consumers, however, expressed frustration with a tool the company launched to help them determine if their personal information had been stolen.
Equifax learned about the breach on July 29 but didn't reveal it for more than a month. The hackers stole credit card numbers of about 209,000 people and also got documents with personal information on 182,000 victims, Equifax said in a statement to its investors.
People in the UK and Canada have also been affected by the breach, the company said. It has stopped the breach and is still investigating who was behind the break-in.
"Criminals exploited a US website application vulnerability to gain access to certain files," Equifax said in its statement.
Companies like Target, Home Depot and Sony have offered free credit monitoring through Equifax after they suffered breaches, and Equifax is one of three major companies that monitor credit scores after data breaches. Equifax is offering its own credit-monitoring service to people affected by its own breach.
The protection includes free identity theft protection and credit monitoring for the next year.
"Given that financial institutions, including credit card companies, banks, credit unions, retailers and lenders report the details of credit activity to Equifax, the 143 million consumers affected may not even be aware the company has this information on them," Theresa Payton, who runs Fortalice Solutions, a security company, said in an email.
Sen. Mark Warner (D-Virginia), the vice chair of the Senate Intelligence Committee, called Equifax's revelation "profoundly troubling" and suggested it was time for Congress to weigh in on stronger data protection standards for consumers.
Warner said the hack "raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans."
Equifax's revelation of the breach was complicated by news three executives had sold shares of the company after the hack was uncovered. The executives, including the company's chief financial officer, sold shares worth almost $1.8 million three days after the breach was discovered and several weeks before it was made public, according to regulatory filings.
The Securities and Exchange Commission bars corporate insiders such as executives, employees and directors from buying or selling stock in their company while in possession of material information not yet made public. Equifax denied the executives sold their shares based on insider information.
"The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares," Ines Gutzmer, Equifax's chief of corporate communications, said.
Equifax's stock, which had been up in regular trading, dropped more than 13 percent in after-hours trading following the announcement.