Equifax, one of the “big-three” U.S. credit bureaus, announced a massive data breach today that not only exposes affected consumers to an increased risk of identity theft, but could have a domino effect across their other accounts.
The cybersecurity incident potentially impacts approximately 143 million U.S. consumers. Criminals exploited a security vulnerability on a U.S.-based Equifax website to gain access to certain sensitive files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.
The exposed data includes Social Security numbers, birth dates, current and past addresses, driver’s license numbers, credit card numbers and other unspecified PII (personally identifiable information) on a large swath of U.S. consumers. Additionally, some UK and Canadian residents may be impacted as well.
Equifax claims the cyber criminals were able to exploit a web application vulnerability to gain access to certain files. It is still not disclosed which application or vulnerability was exploited.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer Richard F. Smith in a statement on the Equifax website. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to enroll in complementary credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports, copies of Equifax credit reports, the ability to lock and unlock Equifax credit reports, identity theft insurance, and Internet scanning for Social Security numbers. This service will be free to affected U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information.
While the data breach does not seem to include user names and passwords at this point, there is still ample cause for concern. The biggest danger is identity theft. Given the information that was exposed, it should be possible for criminals in possession of the stolen data to open new financial accounts in the names of the victims. Another danger is unauthorized access to your accounts. With the personally identifiable information (PII) available to them, attackers could potentially answer security questions to gain access to accounts over the phone and possibly even the web.
We will update this blog as we find out more information about the forensics of this data breach.