On Thursday, Equifax announced that criminals had successfully accessed the personal information of 143 Americans—roughly 44 percent of the U.S. population—in an alarming data breach at the credit-reporting firm.
Names, Social Security numbers, birth dates, addresses and even some driver’s license numbers were accessed by hackers who exploited core website vulnerability. Criminals also had access to credit card numbers for about 209,000 U.S. consumers, along with credit-report dispute documents that identify an additional 182,000 people.
“It’s a rich set of very sensitive identifying information that doesn’t often get collected all in one place,” said Jonathan Penn, director of strategy at cybersecurity firm Avast. “It goes deep to the bone in terms of its sensitivity.”
The breach comes as leaders in the technology industry are taking on cybercriminals and nation-state hackers who are becoming extraordinarily skilled at penetrating security and stealing data. The latest hack gives criminals enough information to steal a person’s identity, take out credit in their name, raid their bank accounts, or go on a shopping spree.
The company said 143 million people were “potentially” affected, but Penn believes that the company is indicating that at least that many people were hit. Adding to the controversy, days after the breach was discovered in late July, three company executives—chief financial officer John Gamble; Joseph Loughran II, the president of U.S. information solutions; and Rodolfo Ploder, the president of workforce solutions—all sold large amounts of their shares in Equifax stock totaling nearly $1.8 million. The trades were not part of a previously scheduled sale.
Of course, a company spokeswoman has ensured the public that the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
“This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax CEO Richard Smith said in a statement. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
One high-profile cybersecurity expert named Brian Krebs asserts that Equifax “may have fallen behind in applying security updates to its internet-facing web applications.” This is not the first serious data breach for the big credit companies. In 2015, a breach at Experian put 15 million consumers’ personal data at risk.
“The credit bureaus — which make piles of money by compiling incredibly detailed dossiers on consumers and selling that information to marketers — have for the most part shown themselves to be terrible stewards of very sensitive data, and are long overdue for more oversight from regulators and lawmakers,” Krebs wrote in a blog post.
Equifax waited more than a month to reveal the incident to the public and potentially affected consumers, saying it discovered the breach in late July “and acted immediately to stop the intrusion.”
The criminals had access to the personal data from mid-May through July, Equifax said.
Equifax has since hired a leading cybersecurity company to conduct a “comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted,” the company said.
The firm will mail notices to consumers whose credit card numbers or records of credit disputes were accessed. Equifax CEO Smith assures the public that the company will do a better job in the future of protecting Americans’ sensitive information.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” he said. “Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
Source: mercurynews.com, theatlantic.com