Equifax, a major credit reporting agency, announced Thursday that hackers had gained access to personal data from approximately 143 million of its customers.
Here’s what we know.
Sometime between mid-May and July, hackers breached an Equifax web application, gaining access to the names, birth dates, addresses, Social Security numbers and, in some cases, driver’s license numbers of some 143 million customers, the company said in a blog post Thursday.
Equifax discovered the breach July 29. The company says it has “no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”
Equifax is one of the three major credit tracking companies in the country.
The number of customers affected in this breach amounts to nearly half of the entire U.S. population, which was 324 million in a U.S. census count in January, CNBC points out.
Along with the sensitive personal data, hackers also gained access to credit card numbers of 209,000 U.S. customers and documents related to credit report disputes from another 182,000 American consumers.
TechCrunch says citizens of Canada and the UK were also affected by the breach.
How bad is this?
As TechCrunch put it: “pretty bad.”
On a scale of one to 10 in terms of data breaches, “this is a 10,” Pam Dixon, the executive director of the World Privacy Forum, told NewsHour.
Reporter Ron Miller writes:
This is not the worst breach of all time by a long shot in terms of pure numbers. That distinction goes to Yahoo, now part of Oath (which was acquired by our parent company, Verizon). They had a leak involving more than a billion users.
But this leak is particularly worrisome because Equifax is a credit reporting service and tracks a history of your consumer life, credit cards, credit scores and more — and it gives the black market a potential gold mine of information about people’s financial lives.
“In addition to the number [of victims] being really large, the type of information that has been exposed is really sensitive,” said Beth Givens, executive director of the Privacy Rights Clearinghouse, told the Washington Post. “All in all, this has the potential to be a very harmful breach to those who are affected by it.”
“This is not just a problem for one year for a person. It will be years of issues,” Dixon said.
Equifax’s stock fell 9 percent after the news broke, USA Today noted.
The company has set up a website — www.equifaxsecurity2017.com — for consumers to see whether, and how much of, their data was breached. It’s offering a year of free credit monitoring to all those affected by the hack. But the company came under fire for charging affected customers $30 if they then wanted to freeze their credit — a step recommended by many security experts.
As the New York Times wrote:
It’s a logical reaction: You did not ask Equifax to vacuum up data about you, and then resell it to marketers and loan sellers. And it is not your fault that the company could not keep that data safe. So why should you pay for a freeze, which keeps new creditors from seeing your credit file and thus can keep thieves from applying for credit in your name?
The Times reported Tuesday that Equifax had decided to waive that fee until Nov. 21, and refund all fees already paid by customers.
Other tell-tale signs you’ve been affected, Dixon says: you’ll get a notification that someone has tried to access credit in your name, that your social security number is on the dark web or that someone has tried to change their billing address
Meanwhile, law enforcement and an independent cybersecurity firm are investigating the scope of the hack and how it occurred. They’re expecting to release their findings in the coming weeks.
In the days since the breach was announced, nearly two dozen class-action lawsuits were filed against Equifax. Separately, the state of Massachusetts was filing its own lawsuit, while New York’s attorney general launched his own investigation and the Senate Committee on Finance submitted a long list of questions about the incident to the company.