From lawmakers to law firms, Equifax now is in the middle of a financial hurricane as the credit bureau announced late on Thursday that a cybersecurity incident potentially impacted approximately 143 million U.S. consumers.
In its announcement, Equifax said criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July.
The company added that has found no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases.
Equifax said the information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed, according to the company’s announcement.
As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Equifax said it will work with U.K. and Canadian regulators to determine the appropriate next steps.
The company also noted has found no evidence that personal information of consumers in any other country has been impacted.
Equifax indicated that it discovered the unauthorized access on July 29 of and acted “immediately to stop the intrusion.” The company said it promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.
Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company’s investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,” Equifax chairman and chief executive officer Richard Smith said.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” Smith continued. “We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
By lunchtime on Friday, more than a half dozen shareholder rights law firms push out announcements regarding their own investigations. Attorney John Yanchunis of ClassAction.com and Morgan & Morgan already had filed a class action lawsuit against Equifax in the Northern District of Georgia.
Part of what is intensifying plaintiff attorneys’ efforts is what San Diego-based firm Johnson Fistel highlighted. It’s what a pair of high-level Equifax executives did, according to regulatory filings.
“(These filings) show on Aug. 3, just days after the July 29 breach discovery, chief financial officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099,” Johnson Fistel said in a news release.
On Capitol Hill, members of Congress want more answers, too. And not just from Equifax. Rep. Ted Lieu, a California Democrat, is seeking a U.S. House Judiciary Committee hearing.
“In light of recent events, I request the committee call upon representatives from the Big 3 credit reporting agencies — Experian, TransUnion and Equifax — to testify not only on the breach that occurred in May 2017, but also to identify how each company is taking proactive, defensive steps to prevent such breaches in the future,” Lieu said.
“Congress has a strong role to play in preventing such attacks on our financial and IT infrastructure, and must hold those entrusted with our most sensitive data to account,” he added.
Equifax went on to say that it has engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.
“I’ve told our entire team that our goal can’t be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we’ve made significant investments in data security, we recognize we must do more. And we will," Smith said.