Credit reporting firm Equifax confirmed Thursday a cybersecurity incident that could potentially impact approximately 143 million US consumers.
According to Equifax, criminals exploited a US website application vulnerability to gain access to certain files, which based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.
The company said that it has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
Equifax said the information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.
As part of its investigation of this application vulnerability, Equifax said it also identified unauthorized access to limited personal information for certain UK and Canadian residents.
Equifax said it will work with UK and Canadian regulators to determine appropriate next steps. The company said it has found no evidence that personal information of consumers in any other country has been impacted.
Despite announcing the news on Thursday, Equifax said that it discovered the unauthorized access on July 29 and acted immediately to stop the intrusion. The company said it promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.
Equifax said it also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” said Chairman and Chief Executive Officer, Richard F. Smith. “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident.”