Hackers have hit a treasure trove of financial data from potentially up to 143 million people in the US.
Equifax, a prominent credit reporting firm, said Thursday that it was hacked from mid-May to July, with thieves stealing names, Social Security numbers, birthdates and addresses from its customers.
The US population is 323 million people, according to the US Census Bureau. This would mean that nearly half the country is at risk for having their personal data leaked from the Equifax breach. And the 143 million affected doesn’t include victims from around the world.
Hackers hit the jackpot in data breaches thanks to the massive amount of sensitive information stored within a single company. Equifax’s breach is among the largest in the US, and the biggest known leak in 2017.
You can check if your data was leaked by heading to Equifax’s website. Here’s a step-by-step on .
“This is clearly a disappointing event, and one that strikes at the heart of who we are and what we do. I deeply regret this incident,” Rick Smith, Equifax’s CEO, said in a video released Thursday.
But worried consumers expressed frustration with a tool the company launched to help them determine whether their personal information had been stolen by hackers.
The company learned about the breach on July 29 and announced it more than a month later. About 209,000 people have had their credit card numbers stolen, while hackers also stole documents with personal information on 182,000 victims, Equifax said in a statement to its investors.
People in the United Kingdom and Canada have also been affected by the breach, the company said. It has since stopped the breach, and is still investigating who is behind the break-in.
“Criminals exploited a US website application vulnerability to gain access to certain files,” Equifax said in its statement. The company is working with law enforcement on the investigation.
Equifax is one of three major companies that monitor credit scores after massive data breaches. Companies like Target, Home Depot and Sony have offered free credit monitoring through Equifax after they suffered breaches. Now Equifax is offering its credit monitoring service for people affected by its own breach.
Equifax said it’s offering free identity theft protection and credit monitoring for its customers for the next year. The company didn’t respond to requests for comment.
“Given that financial institutions including credit card companies, banks, credit unions, retailers and lenders report the details of credit activity to Equifax, the 143 million consumers affected may not even be aware the company has this information on them,” Theresa Payton, the CEO of Fortalice Solutions, a security company, said in an email.
Sen. Mark Warner (R-Virginia), the vice chair of the Senate Intelligence Committee, called Equifax’s revelation “profoundly troubling” and suggested it was time for Congress to weigh in on stronger data protection standards to protect consumers.
Warner said the hack “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”
The picture of Equifax’s response to the breach was complicated by stock sales made by company executives after the breach was uncovered. Three executives, including the company’s chief financial officer, sold shares worth almost $1.8 million three days after the breach was discovered and several weeks before it was made public, according to regulatory filings.
The Securities and Exchange Commission bars corporate insiders such as executives, employees and directors from buying or selling stock in their company while in possession of material information not yet made public. Equifax denied the executives, which included CFO John Gamble, sold their shares based on insider information.
“The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares,” Ines Gutzmer, Equifax’s chief of corporate communications, told CNET.
Equifax’s stock, which had been up in regular trading, dropped more than 18 percent in after-hours trading following the announcement.
This story was originally published a 2:25 p.m. PT.
Updated at 6 p.m. PT: To include consumer and Sen Warner reactions.
Updated at 4:10 p.m. PT: To include executive stock sales and after-hours trading.
Updated at 3:06 p.m. PT: To include details about Equifax and statements from an expert.
CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.
Logging Out: Welcome to the crossroads of online life and the afterlife.