Equifax Web Application Flaw Leaked 143M Customer Records.
Credit reporting agency Equifax said Thursday a web application flaw exposed 143 million customer records to hackers. This is a startling breach for a company that ironically offers identity theft protection services.
The information exposed includes names, Social Security numbers, birth dates, addresses and in some cases, driver’s license numbers, according to a news release. Although most of those affected are U.S. consumers, Equifax says some “limited personal” information for U.K. and Canadian residents was affected.
Equifax also says the breach exposed credit card numbers for 209,000 U.S. consumers. The hackers also accessed what Equifax described as “dispute documents” containing personal information for 182,000 U.S. consumers.
While not the largest breach on record, it’s certainly one of most sensitive. Equifax is one of the largest aggregators of financial data related to U.S. consumers, and its records are used by a variety of other businesses to gauge a person’s creditworthiness.
“On a scale of one to 10 in terms of risk to consumers, this is a 10,” says Avivah Litan, a vice president with the analyst Gartner. “Equifax holds consumers’ most personally sensitive financial information.”
The type of information leaked is a perfect package for a fraudster looking to impersonate someone else.
In the news release, Equifax Chairman and CEO Richard F. Smith says, “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do.”
While not the largest breach on record, it’s certainly one of most sensitive.
“I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
Although major data breaches have become nearly routine, Equifax’s lapse is “especially alarming and serious,” says Atiq Raza, CEO of the web application security company Virsec. Of particular concern is the static nature of data, such as birth dates.
“Almost all the data that credit reporting companies like Equifax hold is sensitive, and much of it is used to establish identity – birth dates, addresses, drivers licenses, and other data types are routinely used to verify identity,” Raza says. “It’s one thing to ask a consumer to change a password, but how do you change your birth date?”
Equifax says it will only send notifications by direct mail to the 209,000 people whose payment card information was leaked and the 182,000 consumers whose dispute documents were exposed.
For everyone else, Equifax has set up a web-based tool for people to check if their data is in the breach.