Even in a day and age where cyber-attacks are commonplace, the latest breach, involving Equifax, stands out as particularly alarming given the company’s role as one of the three consumer credit rating agencies.
On Sept. 7, Equifax announced a cyber-security incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files, the firm said in a statement. Based on the company's investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. Also, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. “[We] will work with UK and Canadian regulators to determine appropriate next steps,” a statement says. “The company has found no evidence that personal information of consumers in any other country has been impacted.”
Equifax discovered the unauthorized access on July 29 and “acted immediately to stop the intrusion,” the firm said in its post-breach statement. It “promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.”
Equifax also reported the criminal access to law enforcement and continues to work with authorities. “While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks,” it said.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and CEO Richard Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes three-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers. The services will be complimentary to U.S. consumers for one year.
Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. The company is in the process of contacting U.S. state and federal regulators and has sent written notifications to all state attorneys general, it said.
“I've told our entire team that our goal can't be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight,” Smith said. “While we've made significant investments in data security, we recognize we must do more. And we will.”
Headquartered in Atlanta, Ga., Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region.
Potentially more bad news for the company comes from reporting published by CNN. It alleges that “three Equifax executives sold shares of the credit-reporting company worth nearly $2 million shortly after a massive data breach was discovered.” The sales, it said, occurred before the company announced the breach to the public on Thursday.
According to SEC filings, Equifax Chief Financial Officer John Gamble sold shares worth nearly $950,000 on Aug. 1, CNN reported. “Joseph Loughran, Equifax's president for U.S. information solutions, sold shares worth about $685,000 on that same day. Rodolfo Ploder, president of workforce solutions, sold stock for just more than $250,000 on Aug. 2.
Equifax, a statement to CNN, defended the transactions as a "small percentage" of what the executives own and that they “had no knowledge that an intrusion had occurred” when they made the sales.
That defense raises other questions. Why did it take days for top executives to be informed of the breach? Also, why did t take more than a month, post-discovery, to issue notice to the public and regulators.