Credit scoring company Equifax announced Thursday (Sept.7) it had experienced a cybersecurity incident that may have impacted approximately 143 million consumers in the U.S., as well as the credit card numbers of approximately 209,000 people.
In a press release detailing the cybercrime, the company said hackers potentially exploited a U.S. website application vulnerability to gain access to certain files. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017, with no evidence of unauthorized activity on Equifax's consumer or commercial credit reporting databases, the company said in the release.
According to Equifax, the information impacted includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. The company also reported 209,000 U.S. consumer accounts were accessed by the hackers, as well as certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers. As part of its investigation, Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents.
Equifax noted it is working with U.K. and Canadian regulators to determine appropriate next steps. The company has found no evidence that the personal information of consumers in any other country had been affected by the breach, it said.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” said chairman and chief executive officer Richard F. Smith in the press release. “I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax said once it discovered the breach on July 29, it immediately moved to stop the intrusion and engaged an independent cybersecurity firm.
They managed to cover themselves in even more glory yesterday when it was also reported that Equifax executives — before releasing the data on the massive hack they found — took the time to unload a lot of stock first. Three Equifax executives sold almost $1.8 million worth of stock in the company shortly after the company discovered the breach. The trades were not part of a scheduled action, though the firm says the trio had not yet been informed of the incident.
Bloomberg reports that regulatory findings indicate that Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2.
Heck of a coincidence.
Equifax also reported it notified law enforcement and is working with authorities. The inquiry is expected to be completed in a couple of weeks.