Equifax, one of the largest credit bureaus in the U.S., said on Thursday that an application vulnerability on one of their websites led to a data breach that exposed about 143 million consumers. The breach was discovered on July 29, but the company says that it likely started in mid-May.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorised access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercialcredit reporting databases,” the company said in a statement.
The statement goes on to say that those responsible for the data breach accessed records containing Social Security Numbers, birth dates, addresses, and in some cases driver’s license numbers.
Moreover, 209,000 consumers also had their credit card data exposed. The data breach also included “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
“As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted,” the company says.
Equifax has launched a website (www.equifaxsecurity2017.com) for those potentially impacted, and will offer credit monitoring to all U.S. consumers. The company will also be contacting those directly impacted via USPS with additional details.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith in a statement.
The company has hired a forensics firm to help with the investigation and offer guidance on preventing such a data breach from happening again.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will,” Smith added.