Equifax, Inc., one of three major credit reporting agencies, recently disclosed that criminal hackers had gained access to nonpublic personal information for roughly 143 million American consumers earlier this year. According to a public statement by the company, Equifax discovered on July 29, 2017, that criminals had exploited a website application to gain access to certain files containing consumer information, including Social Security numbers, birthdates, addresses, and other nonpublic financial information.
Days after its initial disclosure, Equifax revealed that the hack involved a known vulnerability in software used by the company. Equifax reports that it has taken steps to patch the vulnerability and to prevent such incidents from recurring in the future. The company has hired an independent cybersecurity firm, but has not yet determined the scope of the intrusion. The results of an initial probe suggest that the unauthorized access began in mid-May, nearly two months after a fix for the exploited software vulnerability became available.
Equifax believes that hackers obtained credit card numbers for approximately 209,000 consumers and, separately, certain dispute documents for approximately 182,000 consumers, and says that it is working with these individuals directly to prevent unauthorized charges. To mitigate harm to the broader population of consumers affected by the breach, Equifax is offering free identity theft protection and credit file monitoring.
In response to public uproar over the breach, the CFPB and Federal Trade Commission have launched independent investigations into Equifax regarding its response to, and cybersecurity practices leading up to, the breach. Equifax is also facing inquiries from multiple Congressional committees and the office of New York Attorney General Eric Schneiderman in connection with the breach. In apparent response to scrutiny from lawmakers and regulators, Equifax announced that its chief information officer and chief security officer would resign from the company immediately. Dozens of class action lawsuits have been filed nationwide in response to the breach.
Although the Equifax breach does not surpass other high-profile data breaches in terms of magnitude—such as the 2016 breach of a reported 1 billion Yahoo user accounts—this largescale breach of highly sensitive, irreplaceable information is unprecedented.
Equifax’s CEO, Richard Smith, is scheduled to testify before a House subcommittee on October 3.
Equifax’s public statement is available here.