Hackers breached a crown jewel of the U.S. financial institution this summer, potentially compromising 143 million Americans’ personally identifiable information (PII).
Consumer credit reporting agency Equifax confirmed in a statement released late Thursday that hackers gained access to its systems and compromised consumer data, including Social Security numbers and driver’s license numbers.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the statement said. “Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
Along with consumers’ names, Social Security numbers, birth dates, and addresses, the hackers also stole 209,000 consumers’ credit card numbers and 128,000 consumers’ dispute documents.
“As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents,” the statement said. “Equifax will work with UK and Canadian regulators to determine appropriate next steps.”
Equifax became aware of the hackers’ intrusion on July 29, acted to stop the intrusion, and hired a cybersecurity firm to conduct a comprehensive forensic review to determine the scope of the intrusion. It also reported the intrusion to law enforcement.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Chairman and CEO Richard F. Smith in a statement. “I apologize to consumers and our business customers for their concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
To help consumers determine if they have been impacted by the breach, Equifax created a website--www.equifaxsecurity2017--to check their status and sign up for credit file monitoring and identity theft protection.
Critics, however, have cautioned consumers about checking their status with Equifax as doing so might waive any rights they have to sue the agency.
This is because in a disclaimer on the dedicated website includes the following statement: “By consenting to submit Your Claims to arbitration, You will be forfeiting Your right to bring or participate in any class action (whether as a named plaintiff or a class member) or to share in any class action awards, including class claim where a class has not yet been certified, even if the facts and circumstances upon which the Claims are based already occurred or existed.”
New York Attorney General Eric Schneiderman tweeted that this language is “unacceptable and unenforceable,” and that his staff has contacted Equifax to demand it be removed. He also announced that he’s launching an investigation into how the breach occurred.
“The Equifax breach has potentially exposed sensitive personal information of nearly everyone with a credit report, and my office intends to get to the bottom of how and why this massive hack occurred,” Schneiderman said in a statement. “I encourage all New Yorkers to immediately call Equifax to see if their data was compromised and to consider additional measures to protect themselves.”
While investigators work to determine the cause of the breach and who was responsible, it’s likely to have widespread ramifications given the number of consumers compromised and the data involved.
In a blog post for cybersecurity firm Digital Shadows, Vice President of Strategy Rick Holland detailed what’s most likely to happen next, including tax return fraud, benefits and medical care fraud, carding, resale of data, and enablement of nation state and hacktivist campaigns.
“There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion,” Holland wrote. “Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.”