Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone
143m in US, unknown number in UK, Canada – gulp!
Vid Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.
In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.
CEO Richard Smith said that the company's core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed.
Here's Smith explaining himself to the world this afternoon in a video:
As for folks' credit card numbers, Equifax said payment card details for around 209,000 US consumers were also swiped by miscreants. In addition, "certain dispute documents with personal identifying information" belonging to 182,000 Americans were also illegally accessed. An unknown number of Canadian and UK customers have also had their private data pinched.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," said Smith.
"I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations."
In response to the debacle, Equifax is offering every US citizen a year's free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.
Yes, the identity theft detection service will be supplied by... Equifax. And if you want to check you're affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.
Having said that, as responses go, that's better than we've seen from other companies, which usually just tell potential victims to keep an eye on their credit card bills. Then again, since the credit-rating giant does commercial identity theft monitoring, giving it away isn't too expensive for their accountants.
To avoid hackers, ensure you use lower and uppercase characters, and at least one symbol, in your social security number #equifaxadvice— The Register (@TheRegister) September 7, 2017
After such a monumental IT cockup, Equifax has called in a professional security firm to lock down its systems and pick apart the event, gathering evidence as to what has been stolen and possibly gaining clues as to who has it. Smith pledged that the company would not stop until its servers were secure.
"I've told our entire team that our goal can't be simply to fix the problem and move on," he said. "Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will." ®
Sponsored: Becoming a Pragmatic Security Leader