Equifax, one of the three main credit card reporting companies in the U.S. announced Thursday that they have become a victim of cyber-attack. About 143 million consumers in the U.S. could be affected, the company said.
Stolen by cybercriminals were names, birth dates, driver’s license numbers, addresses and Social Security numbers.
The company also said the credit card numbers of about 209,000 people had been stolen while data that could personally identify about 182,000 customers involved in credit report disputes were also breached.
Credit card bureaus track and rate the financial history of consumers in the U.S. They get their data from banks, credit card companies, lenders and retailers, without the knowledge of the consumers. Although they are not owned by the government, a legislation, called the Fair Credit Reporting Act, governs how they should operate.
According to Equifax, they will not contact all the consumers affected by the cyber theft but would send direct mail notices to consumers whose dispute records and credit card numbers were accessed.
Not the First Time
This is the third time since 2015 that Equifax had a major threat to data security. However this latest attack is one of the largest risks to sensitive personal information.
Equifax, as well as other credit card bureaus are prime targets for hackers as they can hit just one of the companies and they will be able to get all the data that would create the most damage.
Equifax Slow Response
Equifax was criticized by cybersecurity professionals for their slow response to the attack. In reality, Equifax discovered the attack back in July 29 but they waited five weeks before making a public announcement.
Company investigation and security consultants said that weak points in the website software were exploited by cybercriminals. They were able to access some files in the system of Equifax from the middle of May until July. The company said they have not found any other unauthorized activity on their databases after the discovery.
They published a link to the informational website that they created on Thursday. They also released a hotline number that concerned customers can call so they can check if their personal data were affected.
But thousands of customers who logged into the website were dismayed. Many of the early website visitors were not able to get through. Later, some people were finally able to access the site.
What the customers saw was the message that Equifax was offering ”TrustedID Premier,” a free credit monitoring and identity theft protection service for one year. But the fine print offers more surprises.
Consumers who agree to sign up for the free credit monitoring program would have to give up their right to sue the company or file a class action lawsuit over various types of damages resulting from the most recent cyber-attack.
The hotline number was managed by contractors and aside from several dropped calls consumers were irritated because the customer service people were not able to give them the right answers and were instead directed to the website.
For Equifax’s CEO Rick Smith, their offering is an ‘unprecedented step.’ But for Boston management consultant John Peterson, the offer is irrelevant because the hackers already got everything that can allow them to create bogus credit lines using the personal information they’ve stolen.
There are already class action suits filed against Equifax in Portland, Oregon. Moreover, several law firms have initiated investigations into possible violations of securities law by the company.
In terms of security breaches, the attack on Yahoo in 2016 was bigger. However, what occurred at Equifax was far more severe because aside from personal information, they were able to unlock employee accounts and consumers’ bank accounts and medical histories. Gartner fraud analyst Avivah Litan said it is a “10” in terms of risk to consumers, based on a scale of 1 to 10.
Cybersecurity professionals criticized Equifax for not improving its online security practices despite the recurring thefts. In 2016, salary and W-2 tax data were stolen from their site. In early 2017, TALX, a subsidiary of Equifax, had W-2 data stolen. TALX provides online human resources services, tax and payroll for some of the largest corporations in the U.S.
According to the Equifax website, it manages employee database for over 7,100 employers. It also handles data on more than 91 million businesses around the world as well as 820 million consumers.