A massive data breach at the credit scoring company Equifax has left 143 million Americans vulnerable to identity theft.
Hackers accessed names, social security numbers, dates of birth, addresses, drivers license information and credit card numbers—enough to steal someone’s identity, say security experts.
Equifax is one of three major credit scoring companies in the U.S. including Experian and TransUnion and the number of people affected represents nearly half of the 323 million U.S. population.
"[It is] no exaggeration to suggest that a breach such as this—exposing highly sensitive personal and financial information central for identity management and access to credit—represents a real threat to the economic security of Americans,” Democratic Senator Mark Warner, vice chairman of the Senate Intelligence Committee Mark Warner told reporters late Thursday.
“On a scale of one to 10, this is a 10 in terms of potential identity theft,” Avivah Litan, a security analyst at the information technology firm Gartner told the Associated Press. “Credit bureaus keep so much data about us that affects almost everything we do.”
But when people began contacting Equifax to find out if their data was affected by the breach they were met with confusion.
"At this time, we do not have a database of impacted individuals. I am unable to tell you whether you are impacted,” Equifax customer service told Bloomberg reporter Polly Mosendz. “We are a company that was hired by Equifax to provide call center services but as of this point they haven't provided us with that database.”
The publication Fast Company was met with customer service representatives who weren’t even aware of the data breach. “No, we haven’t received any news about [the breach],” a customer service supervisor told reporters. “I’ll take note of this, this ‘massive hack’ that you’re referring to,” she said. “We have no information about this,” she added. “We’ll look into this.”
In a statement Thursday Equifax said it will “offer free identity theft protection and credit file monitoring to all U.S. consumers” affected by the hack.
Equifax set up a dedicated website to “to help consumers determine if their information has been potentially impacted” and claim the identity theft protection offer. The application form asks people for the last six digits of their social security number.
The statement also tells those potentially impacted by the breach to call Equifax’s dedicated call center “set up to assist consumers” if they have additional questions.
Equifax, Experian, and TransUnion each stockpile data and there is overlap between the firms. So Americans won't necessarily know which firm holds their data.
“In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed,” the company said.
Equifax said it discovered the hack on July 29 and hired a cybersecurity firm to investigate. The company waited until Thursday to warn the public.
By August 2, three of the company's senior executives sold shares worth almost $1.8 million, Bloomberg reports, citing SEC filings. Chief Financial Officer John Gamble sold shares worth $946,374, Joseph Loughran, president of U.S. information solutions, sold $584,099, and Rodolfo Ploder, president of workforce solutions, sold $250,458.
The executives “had no knowledge that an intrusion had occurred at the time they sold their shares,” Equifax said in a statement.