(Reuters) – Equifax, a provider of consumer credit scores, said on Thursday that personal details of as many as 143 million US consumers were accessed by hackers between mid-May and July, in what could be one of the largest data breaches in the United States.
The company’s shares fell nearly 19% in after-market trading as investors reacted to possible consequences of the exposure of sensitive data of nearly half of the US population.
Atlanta-based Equifax said in a statement that it discovered the breach on July 29. It said criminals exploited a US website application vulnerability to gain access to certain files that included names, Social Security numbers and driver’s license numbers.
In addition, credit card numbers of around 209,000 US consumers and certain dispute documents with personal identifying information of around 182,000 US consumers were accessed. Information of some UK and Canadian residents was also gained in the hack, Equifax said.
Equifax said in its statement that it was working with law enforcement agencies and has hired a cyber security firm to investigate the breach. It said its investigation is “substantially complete,” and expects it will be completed in the coming weeks.
The company declined to comment beyond its statement.
The Federal Bureau of Investigation is tracking the situation, a spokeswoman for the agency said.
US Senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence, said in a statement that it would not be an “exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans.”
Equifax’s breach follows rival Experian’s breach two years ago that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US.
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax chief executive Richard Smith said in a statement, adding that the company is conducting “a thorough review of our overall security operations.”
Likelihood of phishing is high
Cybersecurity experts said the breach was very serious.
“On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data,” said Avivah Litan, a Gartner analyst who tracks identity theft and fraud.
Equifax handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.
Ryan Kalember, senior vice president of cyber security firm Proofpoint, said the hack was “especially troubling” because companies typically offer free credit monitoring services from firms such as Equifax, which has now itself suffered a huge cyber attack.
“The information is very personal – the likelihood that it could be used for phishing is very high,” said Matt Tait, a former analyst at the British intelligence service GCHQ and a cyber security researcher.
Equifax said consumers could check if their information had been impacted at www.equifaxsecurity2017.com.
Representative Maxine Waters, a member of the House of Representatives Financial Services Committee, said in a statement that she would reintroduce legislation to “enhance consumer protection tools available to minimize harm caused by identity theft.”
Three days after Equifax discovered the breach, three top Equifax executives, including chief financial officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose off stock worth about $17.8 million, regulatory filings show. It was not clear whether these transactions were part of a pre-arranged sales plan.
Equifax said in a statement that the executives were not aware that an intrusion had occurred when they sold their shares.
(Reporting by Yashaswini Swamynathan in Bengaluru; Additional reporting by Laharee Chatterjee in Bengaluru and Siddharth Cavale and Dustin Volz in Washington; Editing by Leslie Adler)