Credit reporting company Equifax (NYSE:EFX) announced Thursday a cybersecurity data breach that could have impacted about 143 million U.S. consumers.
The company said in a statement the unauthorized entry occurred mid-May through July 2017, as criminals “exploited U.S. website application vulnerability” to access files ranging from social security numbers, birth dates, addresses and driver’s license numbers. Hackers also accessed the credit card numbers of about 209,000 consumers in the U.S. and other documents with personal identifying information for about 182,000 people in the U.S. Equifax said it discovered the breach on July 29, 2017 but did not publically disclose the information until Sept. 7, 2017.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax Chairman and CEO Richard F. Smith said in a statement. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."
Equifax said it also found that hackers gained unauthorized access to limited personal information for certain residents in the United Kingdom and Canada. The company said its investigation has not found any evidence of illegal activity on its “core consumer or commercial credit reporting databases.”
“This is the nuclear explosion of identity theft opportunity. They’ve got names, dates of birth, Social Security numbers, addresses … I don’t think 143 [million] is going to be the number. Like with anything else, it starts at a number and it always seems to grow. So this thing could grow higher than 143 million," cybersecurity expert Morgan Wright told "Risk & Reward."
As a result, the company has set up a website for consumers that will help them identify if their information was affected. It will also send notices directly in the mail to consumers that have had credit card numbers or dispute documents with personal identifying information compromised, according to Equifax.
“When breaches like these happen, consumers need to be diligent—and not just in the short term. Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised,” said Matt Schulz, senior industry analyst at CreditCards.com. “Bad guys can be very patient, so it's important to keep an eye out long after this story fades from the headlines."
Shares of Equifax tumbled nearly 6% in after-hours trading and have advanced 19% this year.