The Washington PostDemocracy Dies in Darkness

Data of 143 million Americans exposed in hack of credit reporting agency Equifax

September 7, 2017 at 8:35 p.m. EDT
The credit reporting agency, Equifax, announced on Sept. 7 that a hack has impacted the credit histories of up to 143 million Americans. (Video: Amber Ferguson/The Washington Post)

The credit reporting agency Equifax said Thursday that hackers gained access to sensitive personal data — Social Security numbers, birth dates and home addresses — for up to 143 million Americans, a major cybersecurity breach at a firm that serves as one of the three major clearinghouses for Americans’ credit histories.

Equifax said the breach began in May and continued until it was discovered in late July. It said hackers exploited a “website application vulnerability” and obtained personal data about British and Canadian consumers as well as Americans. Social Security numbers and birth dates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes.

Equifax also lost control of an unspecified number of driver’s licenses, along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others. The company said it did not detect intrusions into its “core consumer or commercial credit reporting databases.”

Equifax asks consumers for personal info, even after massive data breach

Here's what you need to know about using cloud computing services - both the benefits and the security risks. (Video: Sarah Parnass, Dani Player, Brian Fung/The Washington Post)

Equifax declined to comment on questions seeking more detail on what type of data was compromised.

Equifax is one of the largest U.S.-based credit reporting agencies that collect and analyze detailed records of financial data for records of a wide range of consumers worldwide. The judgments of these companies about the creditworthiness of individuals can affect their ability to gain loans, housing and jobs, while also determining the interest rates on consumer products.

The information exposed in the Equifax breach is categorized as “personally identifiable information” or PII, and is regarded as particularly sensitive, experts say.

“The type of information that has been exposed is really sensitive,” said Beth Givens, executive director of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego. “All in all, this has the potential to be a very harmful breach to those who are affected by it.”

The company did not respond to a question about why it waited six weeks to disclose the hack.

Bloomberg News reported Thursday evening that three company executives — Chief Financial Officer John W. Gamble; Joseph M. Loughran III, the president of U.S. information solutions; and Rodolfo O. Ploder, the president of workforce solutions — sold large amounts of their shares of Equifax stock totaling nearly $1.8 million in the days after the breach was discovered July 29. The Washington Post confirmed the sales based on Securities and Exchange Commission filings.

The stock trades were not part of a previous scheduled sale, federal filings show.

A company spokeswoman, Ines Gutzmer, said in an email Thursday night: “The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares.”

On Thursday, after the company disclosed the hack, Equifax shares plummeted 12 percent in after-hours trading.

One of the other leading credit rating agencies, Experian, was hacked in 2015, causing the personal data of 15 million Americans to be exposed.

The recent hack of Equifax was far larger but fell short of data breaches suffered by Yahoo, which affected 1 billion people worldwide.

Equifax said Thursday that it was alerting those who were affected by mail. It also set up a website, equifaxsecurity2017.com, to help consumers understand the breach and check whether they were affected. The company is offering one year of free credit monitoring and identity theft protection to anyone who may have been affected.

Why it can take so long for companies to reveal their data breaches

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Richard F. Smith, the company’s chief executive, said in a statement published on its website. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”

Equifax, based in Atlanta, is working with law enforcement on an investigation of the breach and has hired an independent cybersecurity research firm to assess the scope of the intrusion. The company’s website says it operates in 24 countries and has access to the data of more than 820 million consumers worldwide, along with data for 91 million businesses.

Companies often do not immediately alert affected people to cybersecurity incidents, prompting periodic calls from state and federal legislators for new laws to require more rapid and complete disclosures to affected consumers.

On Thursday night, Sen. Mark R. Warner (D-Va.), co-founder of the Senate Cybersecurity Caucus, described the Equifax breach as “profoundly troubling” and called for more consumer protections against data theft and timely notification to consumers whose personal information is compromised.

“It is no exaggeration to suggest that a breach such as this — exposing highly sensitive personal and financial information central for identity management and access to credit — represents a real threat to the economic security of Americans,” Warner said in his statement.

Although Equifax is widely known as a credit reporting agency, the company is also involved in the collection and sale of consumer data — a lucrative and loosely regulated industry that in 2013 attracted the scrutiny of Senate investigators.

In one report, the Senate Commerce Committee found that such data brokers were responsible for slicing up consumer data and categorizing Americans according to their financial characteristics, using labels such as “X-tra Needy,” “Fragile Families” and “Ethnic Second-City Strugglers” to describe the financially vulnerable.

Critics say the practice allows for the targeting and marketing of predatory financial instruments, and that the labels reflect a fundamental callousness about the industry.

The Federal Trade Commission accused Equifax in 2012 of inappropriately selling thousands of lists of consumers’ data to third parties, who then “used the lists to pitch loan modification and debt relief services to people in financial distress,” according to the FTC.

Drew Harwell and Steven Mufson contributed to this report.