Financial services company Equifax has been hit by a major security breach that may have compromised the personal records of 143 million American consumers, along with an undisclosed number of people in the UK and Canada.
The perpetrators exploited a vulnerability in a US website application to gain access to confidential information – including names, social security numbers, birth dates, addresses and driver’s license numbers, as well as around 209,000 credit card numbers – over a two month period from May 2017.
It also found unauthorised access to “limited personal information” of a number of British and Canadian customers, and will work with regulators in both countries to determine an appropriate path forward. It added that it had found “no evidence” of any unauthorised activity on its core consumer or enterprise credit reporting databases.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said Equifax chairman and CEO Richard Smith. “I apologise to consumers and our business customers for the concern and frustration this causes.”
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.
“We are also focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident.”
Since halting the intrusion on 29 July, Equifax has been working closely with law enforcement and brought in a cyber security partner to conduct a thorough forensic review of its systems. This investigation is mostly complete, but more detailed information is expected to emerge in the coming days and weeks.
Ondrej Vlcek, chief technology officer and general manager of the consumer business at security solutions supplier Avast, speculated that the attackers probably took advantage of a structured query language (SQL) injection to gain access.
“It is unacceptable that credit bureaus, which hold and then sell so much personal information, can allow such a breach to happen and practice such poor security hygiene,” said Vlcek. “We expect it is only a matter of when, not if, this data appears on the dark web market.”
Adam Nash, Webroot sales manager for Europe, the Middle East and Africa, said it was unusual that Equifax had waited almost a month and half to inform its customers their personal data may be at risk, and pointed out that the lack of information up to now was potentially just as harmful to Equifax’s reputation as the original breach.
“This just reinforces the need for regulation like GDPR [General Data Protection Regulation],” said Nash. “If GDPR was in place, Equifax would have had to disclose the breach of European customer data as soon as they became aware of it or risk facing substantial fines.”
Equifax customers can now access a dedicated website to find out whether or not they have been affected, and to help them sign up to credit file monitoring and ID theft protection services. The firm will also make a number of services, such as access to copies of its credit reports, ID theft insurance and internet scanning for social security numbers, free to its US customers for the next 12 months.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on,” said Smith. “Confronting cyber security risks is a daily fight. While we’ve made significant investments in data security, we recognise we must do more. And we will.”