Equifax, which not only stores extremely sensitive financial data for 820 million consumers, 91 million businesses and 7,100 employers worldwide but also markets credit-monitoring and identity-theft protection products, disclosed yesterday that hackers had gained access to the records of about 143 million U.S. consumers from the middle of May through the end of July.
The Atlanta-based company says the intruders could see customers’ names, Social Security numbers, birth dates and addresses — as well as some driver’s license numbers — but that it “has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.”
“This is the nightmare scenario — all four pieces of information in one place,” John Ulzheimer, a credit specialist and former manager at Equifax, tells the Wall Street Journal’s AnnaMaria Andriotis and Ezequiel Minaya.
“The incident comes at a time of heightened sensitivity to cyberattacks in the political, commercial and personal realms, especially in the wake of presumed Russian interference in the U.S. presidential election last year,” they write.
“This is about as bad as it gets,” Pamela Dixon, executive director of the World Privacy Forum, tells the New York Times. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50%.”
All told, the number of American consumers affected constitutes about 44% of the U.S. population,” NPR’s Colin Dwyer points out. “Equifax did not explain why more than two months passed before it discovered the hack, which also affected an unspecified number of consumers from Canada and the U.K..” he adds.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax chairman and CEO Richard F. Smith says in the news release announcing the hack. He somberly elaborates on what happened, and what Equifax is doing about it, in a 2:37 video.
Equifax has established www.equifaxsecurity2017.com and a call center at 866-447-7559 to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and a free year of its credit protection service. But this remedy “falls short of what consumers really need, because their information can be bought and sold by hackers for years to come,” consumer credit expert John Ulzheimer tells the NYT’s Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth and Ron Lieber.
CNET’s Sharon Profis points out that “Equifax's enrollment program doesn't explicitly tell you if your data was a part of the breach. The company only makes it clear to those who weren't exposed. It's confusing.” She cites a couple of additional perceived shortcomings of the program and suggests additional steps consumers should take to protect their data.
Law enforcement officials have been notified and Equifax has hired a “leading cyber-security firm to conduct a forensic review to determine the scope of the intrusion,” Equifax CEO Smith tells us in the video.
Adding to the tarnish to its image, three top Equifax executives — including CFO John Gamble — sold shares roughly worth a combined $1.8 million within a few days of the discovery of the breach.
“The three ‘sold a small percentage of their Equifax shares,’” spokeswoman Ines Gutzmer said in a statement emailed to Bloomberg’s Anders Melin. They ‘had no knowledge that an intrusion had occurred at the time.’” Melin points out, though, that “none of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.”
Gamble sold shares worth $946,374, U.S. information solutions president Joseph Loughran sold shares worth $584,099, and workforce solutions president Rodolfo Ploder sold shares worth $250,458, according to regulatory filings.
“The breach also took in what Equifax called ‘limited personal information’ about some U.K. and Canadian residents — a fact that means the company has to now deal with regulators in those countries, too. The firm said it had no evidence that information for other countries' citizens was compromised,” David Meyer reports for Fortune.
Meanwhile, security experts seem to be going out of the to not minimize the severity of the situation.
“This is a security risk for any and every website that anyone uses," Christopher O'Rourke, founder and CEO of cybersecurity firm Soteria, tells CNBC’s Todd Haselton. “Most often, security questions to access those websites use that data, like a previous address, so this becomes an open-source intelligence nightmare…. It's nasty.”