Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

143m in US, unknown number in UK, Canada – gulp!

By Iain Thomson in San Francisco


Vid Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population.

In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the system until they were discovered on July 29. Equifax has called in the FBI and is in contact with regulators in other countries about the case.

CEO Richard Smith said that the company's core consumer and commercial credit reporting databases were untouched – only the names, social security numbers, birth dates, addresses and, in some instances, driver's license numbers of 143 million Americans were exposed.

Here's Smith explaining himself to the world this afternoon in a video:

As for folks' credit card numbers, Equifax said payment card details for around 209,000 US consumers were also swiped by miscreants. In addition, "certain dispute documents with personal identifying information" belonging to 182,000 Americans were also illegally accessed. An unknown number of Canadian and UK customers have also had their private data pinched.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," said Smith.

"I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations."

In response to the debacle, Equifax is offering every US citizen a year's free identity theft monitoring for those who apply, and has set up a dedicated call center and website to handle information requests from worried consumers. It will also mail notifications to everyone who lost data in the incident.

Yes, the identity theft detection service will be supplied by... Equifax. And if you want to check you're affected by the mega-hack, you have to supply your last name and last six digits of your social security number. To an outfit that just lost your social security number. Which is no use to peeps in the UK or Canada.

Having said that, as responses go, that's better than we've seen from other companies, which usually just tell potential victims to keep an eye on their credit card bills. Then again, since the credit-rating giant does commercial identity theft monitoring, giving it away isn't too expensive for their accountants.

After such a monumental IT cockup, Equifax has called in a professional security firm to lock down its systems and pick apart the event, gathering evidence as to what has been stolen and possibly gaining clues as to who has it. Smith pledged that the company would not stop until its servers were secure.

"I've told our entire team that our goal can't be simply to fix the problem and move on," he said. "Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Mobile stock trading apps riddled with security holes

Did someone just nick your shares?

Equifax mega-breach: Security bod flags header config conflict

Help wanted at Equifax. Badly

Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO

Operator fined £120k by UK data watchdog

Equifax UK admits: 400,000 Brits caught up in mega-breach

UK dedicated systems not affected

Surprising nobody, lawyers line up to sue the crap out of Equifax

Class actions already piling up against identity theft brokers

Apache Foundation rebuffs allegation it allowed Equifax attack

Timeline explains that either Equifax didn't patch old bugs, or was zero-dayed

FireEye pulls Equifax boasts as it tries to handle hack fallout

Now credit freezes may not even be secure

Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down

Company tried to find and patch vulnerable systems, but we know what happened next

Brit web host biz UKFast gears up to IPO on London Stock Exchange

Server and cloud outfit aims to float by October if tech market evades Brexit jitters

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

Those are just the ones known to have downloaded outdated versions