2017-09-07 18:35:02
Equifax Says Cyberattack May Have Affected 143 Million Customers

Equifax, one of the three major consumer credit reporting agencies, said on Thursday that a data breach left Social Security numbers, driver’s license numbers and other sensitive information for 143 million United States consumers vulnerable to hackers.

Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in a website application, according to an investigation by Equifax. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.

Hackers were able to retrieve birth dates and addresses, as well as credit card numbers for 209,000 consumers. Documents with personal information used in disputes for 182,000 consumers was also taken.

Equifax said that some personal information for British and Canadian residents was also hacked.

The data breach at Equifax is not the largest. Yahoo disclosed in September 2016 that 500 million user accounts had been hacked in 2014, followed by a second disclosure three months later that a different attack in 2013 compromised more than one billion accounts.

Equifax said that, in addition to reporting the breach to law enforcement, it had hired a cybersecurity firm to conduct a review to determine the scale of the invasion. The investigation is expected to wrap up within the next few weeks.

The company handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Richard F. Smith, chairman and chief executive of Equifax, said in a statement. “Confronting cybersecurity risks is a daily fight.”

The company created a website, www.equifaxsecurity2017.com, to help consumers determine whether their data was at risk.

“While we’ve made significant investments in data security, we recognize we must do more,” Mr. Smith said.