Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

143m in US, unknown number in UK, Canada – gulp!

By Iain Thomson in San Francisco


Vid Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.

In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.

CEO Richard Smith said that the company's core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed.

Here's Smith explaining himself to the world this afternoon in a video:

As for folks' credit card numbers, Equifax said payment card details for around 209,000 US consumers were also swiped by miscreants. In addition, "certain dispute documents with personal identifying information" belonging to 182,000 Americans were also illegally accessed. An unknown number of Canadian and UK customers have also had their private data pinched.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," said Smith.

"I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations."

In response to the debacle, Equifax is offering every US citizen a year's free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.

Yes, the identity theft detection service will be supplied by... Equifax. And if you want to check you're affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.

Having said that, as responses go, that's better than we've seen from other companies, which usually just tell potential victims to keep an eye on their credit card bills. Then again, since the credit-rating giant does commercial identity theft monitoring, giving it away isn't too expensive for their accountants.

After such a monumental IT cockup, Equifax has called in a professional security firm to lock down its systems and pick apart the event, gathering evidence as to what has been stolen and possibly gaining clues as to who has it. Smith pledged that the company would not stop until its servers were secure.

"I've told our entire team that our goal can't be simply to fix the problem and move on," he said. "Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Exposing 145m Equifax customer deets: $240m. Legal fees: $28.9m. Insurance: Priceless

Data breach cost biz $70m this quarter alone

Equifax IT staff had to rerun hackers' database queries to work out what was nicked – audit

And let security kit fail for 10 months due to bad cert

Equifax mega-leak: Security wonks smack firm over breach notification plan

A Wordpress site? Really?

Another staffer at mega-hacked Equifax slapped with insider trading rap

Credit agency promises eight US states it will boost cyber security measures, escapes fine

Equifax reveals full horror of that monstrous cyber-heist of its servers

146 million people, 99 million addresses, 209,000 payment cards, 38,000 drivers' licenses and 3,200 passports

Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

Eight months after Equifax megahack, some Brits are only just being notified

I'm fsck-ed off it took this long, rages affected Reg reader

Equifax execs sold shares before mega-hack reveal. All above board – Equifax probe

Nothing to see here, move along. Go back to your homes

What's that, Equifax? Most people expect to be notified of a breach within hours?

Go on, you're the breach expert

FireEye pulls Equifax boasts as it tries to handle hack fallout

Now credit freezes may not even be secure