U.S. credit score provider Equifax has suffered a cyber-attack giving hackers access to the personal details of as many as 143 million people.
The company revealed that ‘criminals’ exploited a website application vulnerability to gain access to files, between mid-May and July this year.
The company discovered the breach on July 29th, meaning they waited around a week and a half before informing customers.
The hackers have gained access to extremely sensitive information such as names, social security numbers, birth dates, addresses, and in some cases, driver’s license numbers.
As well as this, credit card details for around 209,000 U.S. customers and dispute documents with personal identifying information for around 182,000 people were accessed. The company has also stated that some limited information of UK and Canadian customers was gained, and is working with regulators in those countries.
Equifax chairman and CEO, Richard F Smith, said: ‘This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.’
As well as being one of the largest data breaches in U.S. history, the sensitive nature of the information makes the leak particularly significant. The company holds the information in order to identify people for the purpose of credit checks, meaning the data can potentially be used to commit identity fraud on a large scale.
Gartner security analyst Avivah Litan, said: ‘On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data.’
According to Litan, the breach could undermine the security of information held by other major companies that perform the same service as Equifax, such as Experian and TransUnion. A former analyst at GCHQ, Matt Tait, noted that the nature of the information means it is likely to be used for phishing.
In the wake of the breach, Equifax has set up a website to let customers check if their information has been accessed. However, the website offers a credit monitoring service, using its own breached service.
There is also a dedicated phone number for customers who are concerned about their data, though TechCrunch tested the number and was unable to get through, on three separate occasions.
Since announcing the breach, Equifax’s stock price has dropped significantly. Before the announcement was made, several senior executives sold shares worth around $1.8 million (approx. £1.3 million), though the company has stated that they were not aware of the breach at the time.