Massive multinational credit reporting company Equifax has been breached by hackers, with up to 143 million U.S. residents having their names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers stolen from the company’s databases.
Although the breach affects just over 60 percent of the adult population of the U.S., it is far from being the largest ever. Two Yahoo breaches revealed last year impacted almost 1.5 billion accounts. But experts said it might nonetheless be the worst, because the consumers affected would all immediately be at high risk of identity theft for the foreseeable future. Unlike when credit card or password information is stolen, consumers cannot change their Social Security number or date of birth. The largest breach of SSNs prior to Thursday was the 2015 Anthem hack of 80 million records.
In an unprecedented move, Atlanta-based Equifax said it was offering a year’s free credit monitoring — not just to the 143 million impacted consumers, but to any American that wants it.
Nonetheless, the company’s response has been lambasted, with online critics highlighting issues a dodgy encryption certificate on the special response website, an hourlong waits for unhelpful answers at telephone call centers and a lack of clarity about who was affected.
Company representatives did not reply as of midday Friday to a list of detailed questions from CyberScoop. Equifax operates in 24 countries and has access to the data of more than 820 million consumers worldwide, the company’s website says.
At least two class action lawsuits were filed by midday Friday, and the company’s stock price spiraled in morning trading, driven in part by reports that three C-level executives had sold company stock after the breach was discovered July 29, but before it was made public Thursday. A company spokeswoman told Bloomberg the three, including the CFO, “had no knowledge that an intrusion had occurred at the time” of the transactions.
On Friday, two Democratic members of Congress called for an official inquiry. Oregon Sen. Ron Wyden said in a statement that the Senate should investigate. Separately, California Rep. Ted Lieu requested a House-led investigation in a letter to leaders of the House Judiciary Committee.
There have also been renewed calls for Congress to act on a long-stalled national data breach standards bill — at the moment, victim companies have to comply with 40-plus different state data breach reporting requirements.
One lawmaker who has championed such legislation in the past called the news of the intrusion “profoundly troubling,” and urged against breach fatigue.
“While many have perhaps become accustomed to hearing of a new data breach every few weeks, the scope of this breach … raises serious questions about whether Congress should … create a uniform data breach notification standard,” said Sen. Mark Warner, D-Va. He added that lawmakers also need to “rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”
Warner, concluded by stating, “It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans.”
Equifax Chairman and CEO Richard Smith explained that the company discovered the breach on July 29, by which time it had been ongoing for more than two months. The hackers “exploited a U.S. website application vulnerability to gain access,” the statement says.
“Regardless of whether your information may have been impacted, we will provide you the option to enroll in TrustedID Premier,” says the special website the company set up to inform the public about the breach. TrustedID Premier is a service the company offers which includes monitoring of all three major credit reporting services — Equifax, Experian and TransUnion — identity theft insurance; and internet scanning for Social Security numbers.
The company, which sells comparable services for between $18 and $28 a month, is offering it free for one year. However, the terms of service state that, by subscribing, consumers waive their rights for redress against the company — including for the pre-existing breach — except via an Equifax-approved arbitration process.
The company said it hired a “leading, independent cybersecurity firm” to conduct a thorough investigation including “a comprehensive forensic review to determine the scope of the intrusion,” and ascertain exactly which data was stolen. Reports said the firm was Mandiant, a subsidiary of FireEye. Stock prices for cybersecurity companies in general jumped on Friday.
Equifax also said it reported the intrusion to law enforcement and is working with authorities.
The company says its investigation is “substantially complete,” but will remain open for a few weeks.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” added Smith, calling the hack “a disappointing event for our company.”
“I apologize to consumers and our business customers for the concern and frustration this causes,” he concluded.
Greg Otto contributed to this report.