The US arm of the credit score company Equifax – the company who organises, assimilates and analyses data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 6,600 employers – has disclosed that one of it’s databases was breached through an unspecified vulnerability on its website, exposing the personal information of an estimated 143 million people, including some in the UK and Canada.
This highlights again the hidden risks in the online world, as such data is very valuable and could be used to create false identities or lead to phantom transactions.
Equifax Australia (ex. Veda), which itself holds the credit history information on Australian customers is a wholly owned subsidiary. The local company tweeted “please be assured that we have found no evidence that personal information of consumers in Australia or New Zealand has been impacted by the US cybersecurity incident”.
Equifax says the US penetration occurred sometime between mid-May and the end of July, but has only recently announced that the breach happened. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.
Equifax discovered the unauthorized access on July 29 of this year and acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax has established a dedicated website, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. In addition to the website, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.
Equifax has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.
CEO Smith said, “I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will.”
There is a fine print “arbitration clause” which seeks to protect the company from class actions, but in a response to consumer inquiries, the company says the arbitration clause and class action waiver included in its terms of use does not apply to this cybersecurity incident.
Also, according to documents filed with securities regulators, three Equifax executives sold shares worth a combined $1.8 million just a few days after the company discovered the breach. However, Equifax has said the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”