Credit reporting firm Equifax reported a massive data breach on Thursday, which could affect some 143 million US consumers, the company said in a press release. Attackers gained access through a website vulnerability discovered by Equifax on July 29, 2017, the release said.
Unfortunately, quite a bit of personal data was put at risk in the breach. Customer names, Social Security numbers, birth dates, addresses and driver's license numbers were leaked. Additionally, the credit card numbers of 209,000 US consumers were leaked along with dispute documents for 182,000 US consumers that contained personal identifying information (PII).
Equifax also noted that the personal information of certain UK and Canadian residents was accessed in an unauthorized manner, the release said. However, no other countries seem to have been impacted.
Since it discovered the breach, Equifax has been working with an independent cybersecurity firm to mitigate the damage and stop the intrusion. Although, as Bloomberg reported, Equifax's manager sold almost $2 million worth of stock after the breach was discovered, but before it was made public. And none of those transactions were listed as scheduled trading plans, Bloomberg reported.
While Equifax's investigation is "substantially complete," the release said, it is still ongoing.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," CEO Richard Smith said in the release. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations."
Customers whose credit card numbers or dispute documents were leaked will receive a notification in the mail, the release said. For others, the firm has set up a website (www.equifaxsecurity2017.com) where users can check if they were impacted.
While Equifax offers complimentary identity theft protection and credit monitoring for a year, it requires quite a bit of personal data to do so.
However, when tested, the website seemed to show breach confirmation for a variety of unlikely last name and Social Security number combinations. TechRepublic tested the last name "Smith" with 123456, 654321, and 111111 as the digits, and they all returned a positive response.
Regardless of the website's potential effectiveness, customers who believe they may be affected should act immediately. RSA senior director of advanced cyber defense, Peter Tran, said that the first 48-72 hours after the breach is the critical "make or break" window for remediation, communication, and discovery, and customers have a lot of work to do right now.
"Right out of the gate, consumers need to take three imperative actions: Work directly with Equifax to determine impact and the process for post breach personal identity protection and monitoring, change all online-based banking and credit card passwords, and work with your financial institutions to enable a secondary form of authentication and or 'security challenge' question such as using a mobile device or similar to have a unique passcode sent each time," Tran said.
The 3 big takeaways for TechRepublic readers
- A data breach of credit firm Equifax could have put the personal information of some 143 million US consumers at risk, with some users having their credit card numbers leaked.
- Equifax originally discovered the breach on July 29, 2017, and some company managers sold stock in the company before the breach was made public.
- The first 48-72 hours after the breach is a critical window where users must take action to secure their accounts and change their passwords, RSA's Peter Tran said.
- Information Security Management Fundamentals (TechRepublic Academy)
- Massive Equifax data breach exposes as many as 143 million customers (ZDNet)
- Information security incident reporting policy (Tech Pro Research)
- How to calculate the cost of data breaches (TechRepublic)
- Report: Data breaches growing more complex, causing more damage (TechRepublic)
Conner Forrest has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.