Equifax, the Atlanta based credit monitoring company says that a breach exposed sensitive information about 143 million clients. The company said that the breach, which they discovered on July 29, exploited a US website application to access files between mid-May and July this year.
The problem is that this is being reported only in September.
The report said that consumers’ names, social security numbers, birth dates, addresses and, in some cases, driver’s license numbers were exposed. Credit card numbers for about 209,000 US consumers were also accessed.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said the company’s chairman and CEO Richard Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
And it gets worse! Shortly after the attack was identified, and before the news were sent out to the public, three Equifax senior executives sold shares in the company worth almost $1.8m.
Financial institutions, landlords and other businesses draw on data from credit monitoring companies like Equifax to verify people’s identity and ensure they are suitable for leases and loans. This breach has given cybercriminals a treasure trove of data to assume the identities of those affected and carry out fraudulent transactions in their name.
“This is a security risk for any and every website that anyone uses,” Christopher O’Rourke, founder and CEO of cybersecurity firm Soteria, told CNBC.
“Most often, security questions to access those websites use that data, like a previous address, so this becomes an open-source intelligence nightmare, worse in many ways than the Office of Personnel Management government breach. It’s nasty. If I can get my hands on that information I can call a bank. They’re going to ask me for your Social, address, the information that was leaked here, to get access.”
Equifax Chairman and CEO Richard Smith apologized to consumers and customers and noted that he’s aware the breach affects what the company is supposed to protect.