The personal data of nearly half of all Americans – including names, birth dates, Social Security numbers, credit-card information, addresses and even driver’s license numbers – may have been stolen by criminal hackers, one of the largest credit reporting agencies in the U.S. said Thursday.
Equifax announced that the data breach may impact as many as 143 million U.S. customers, CNBC reported. That’s nearly half of the current U.S. population of 324 million, meaning it impacts a massive number of Americans and is one of the largest cybersecurity breaches in U.S. history.
Equifax apparently discovered the breach 40 days ago, on July 29, and it is only now announcing the incident.
“Criminals exploited a U.S. website application vulnerability to gain access to certain files,” the company told CNBC Thursday.
Equifax said the breach occurred from mid-May through July 2017. Numbers for 209,000 U.S. credit cards were accessed, in addition to “certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers.”
However, the company made no mention of the fact that its chief financial officer, John Gamble, sold shares worth $946,374 just three days after the breach was discovered. Also, Joseph Loughran, president of U.S. information solutions, sold off $584,099 in stocks. And Rodolfo Ploder, president of workforce solutions, sold shares worth $250,458.
“This is a security risk for any and every website that anyone uses,” said cyber-security firm Soteria CEO and founder Christopher O’Rourke, according to CNBC. “Most often, security questions to access those websites use that data, like a previous address, so this becomes an open-source intelligence nightmare, worse in many ways than the Office of Professional Management government breach. It’s nasty. If I can get my hands on that information, I can call a bank. They’re going to ask me for your social, address, the information that was leaked here, to get access.”
Equifax CEO and Chairman Richard Smith apologized to U.S. consumers, acknowledging that the breach involved information that Equifax was trusted to safeguard.
Equifax tweeted Thursday: “We recently discovered a cybersecurity incident involving consumer information. Once discovered, we acted immediately to stop the intrusion.”
Livid Twitter users unloaded on the credit reporting agency for waiting so long to inform consumers:
- “You waited a month to tell the people who use your service and allowed executives to sell off their stock before letting everyone know.” – Ryan
- “You knew about this on July 29th but waited till now to tell everyone. Nice.” – Credit Error Lawyer
- “So you’re going to pay all the people whose identities you just negligently gave away, right?’ – Matthew
- “Not good enough. Equifax should give all victims free monitoring and insurance for life.” – Cliff Vegas
- “‘Recently discovered’? Are you kidding? Shame on you!!” – Monica Sherer
- “You learned back on July 29, but we had to hear it from the news first. Shame on your customer service. I am cancelling my account.” – Jim Redner
- “Acted immediately? After personal data of 1/2 US population already out the door? Please!” – Capitola
- “So you, a private for-profit business, host my private data without my consent, and you leaked it out. Why shouldn’t I be able to sue you?” – Skyler!
- “Roughly half the U.S. population impacted and you tell us now have a major hack that happened months ago? Grossly irresponsible!!!!” – Eric von Foerster
- “As recently as JULY while your executives sold their shares???” – Glittershart
Equifax is notifying impacted customers by mail and has completed a private investigation into the incident. The company is also reportedly working with state and federal authorities. During after-hours trading, Equifax shares fell more than 6 percent.
As WND has reported, Americans have been victimized by massive data breaches in just the last few years.
In September 2015, the Office of Personnel Management warned that the fingerprints of 5.6 million people had been stolen in a cyber attack believed to have come at the hands of the Chinese. The hack attack targeting federal employees resulted in the theft of sensitive information provided by intelligence and military personnel who had sought security clearances. Nearly every one of the millions of U.S. security-clearance holders was said to be impacted, including personnel from the CIA, National Security Agency and military special operations.
The week before that incident, OPM reported a “cyber-intrusion” of its systems, and estimated data from up to 14 million of current and former federal workers had been compromised – the largest hack in federal history. The hackers reportedly stole Social Security numbers, military records, addresses, birth dates, pay histories, health data and pension information on past and present federal employees.
In January 2016, Rep. Jason Chaffetz, then chairman of the House Oversight Committee, warned of a potentially huge data breach at the Department of Education, where nearly half of Americans’ records are stored.
“Almost half of America’s records are sitting at the Department of Education,” Chaffetz said. “I think ultimately that’s going to be the largest data breach that we’ve ever seen in the history of our nation.”
The IG rated the Department of Education an “F” on four different security tests for federal agencies, as implemented under the Federal Information Technology Acquisition Reform Act. And IG watchdogs followed that written report with testimony before Congress criticizing the agency for failing to abide several warnings of vulnerability. Chaffetz said part of the problem was the Department of Education’s data collection process relied on 184 different systems, mostly managed by contractors. And of crucial importance: The agency holds 139 million Social Security numbers and oversees more than 40 million federal student loan borrowers.
Meanwhile, retail giant Target is reportedly paying $18.5 million in a multi-state settlement following a massive data breach in 2013. The breach impacted 41 million customer accounts. An investigation into the breach determined that cyber hackers accessed Target’s customer database with stolen third-party credentials. The hackers installed malware on Target’s system and collected full names, phone numbers, email addresses, card numbers and verification codes and other sensitive information.