Equifax, the credit ratings agency, has warned that it has been hacked, losing the personal details of some 143 million Americans – 44 per cent of the adult population – in a data breach that outsiders suggest was the result of a simple SQL injection attack.
Due to the sensitivity of the information that has been lost, it could arguably be described as one of the biggest hacks in the world.
The company, which also operates in the UK, publicly admitted the breach on Thursday night, warning that “criminals” had exploited a website application vulnerability to access the highly personal files between mid-May and July of this year.
Ondrej Vlcek, chief technology and general manager at security outfit Avast, speculated that the attackers used a SQL injection flaw to gain access.
Information accessed includes names, all-important Social Security numbers, dates of birth, addresses and some driver licence numbers, all of which can be used by the attackers to easily hijack the identities of people whose credentials were stolen.
Credit card numbers belonging to approximately 209,000 US consumers were also accessed, as were dispute documents with “personal identifying information” for about 182,000 people.
Equifax says that the hackers also gained unauthorised access to “limited personal information” of some UK and Canadian residents, but hasn’t provided any further details.
“Equifax will work with UK and Canadian regulators to determine appropriate next steps,” the company said.
Richard Smith, chief executive of Equifax, described the breach – which is one of the largest ever reported in the US – as “disappointing”.
“This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” he said.
He continued: “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.
“We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident.”
Equifax has set up a dedicated website, where people can check to see if their personal information may have been stolen. Consumers can also call 866-447-7559 for more information.
Equifax is offering customers free credit monitoring using its own breached service, but this move has been slammed by security experts.
Vlcek says that, rather than taking advantage of Equifax’s offer, consumers should “consider looking into a credit freeze that will stop hackers from using your identity to accrue debt” and “closely monitor all email, social, credit card and bank accounts closely for suspicious activities”.
As if news of the hack wasn’t bad enough, Bloomberg reports that three Equifax executives sold company shares worth $1.8 million after the breach was discovered by the company on 29 July. the company claims that they “had no knowledge that an intrusion had occurred at the time they sold their shares.”
The company claims that they “had no knowledge that an intrusion had occurred at the time they sold their shares”.
This isn’t the first time Equifax has been involved in a serious data breach.
In 2013, the company confirmed that the personal details of famous people – including US Vice President Joe Biden, FBI Director Robert Mueller and rapper Jay Z – were exposed on annualcreditreport.com, a site that enables consumers to monitor their credit reports.