[BreachExchange] Equifax Announces Three Month Long Breach, Impacting Approximately 143M Consumers

Inga Goddijn inga at riskbasedsecurity.com
Thu Sep 7 18:43:49 EDT 2017


https://www.equifaxsecurity2017.com/

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a
cybersecurity incident potentially impacting approximately 143 million U.S.
consumers. Criminals exploited a U.S. website application vulnerability to
gain access to certain files. Based on the company’s investigation, the
unauthorized access occurred from mid-May through July 2017. The company
has found no evidence of unauthorized activity on Equifax’s core consumer
or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers,
birth dates, addresses and, in some instances, driver’s license numbers. In
addition, credit card numbers for approximately 209,000 U.S. consumers, and
certain dispute documents with personal identifying information for
approximately 182,000 U.S. consumers, were accessed. As part of its
investigation of this application vulnerability, Equifax also identified
unauthorized access to limited personal information for certain UK and
Canadian residents. Equifax will work with UK and Canadian regulators to
determine appropriate next steps. The company has found no evidence that
personal information of consumers in any other country has been impacted.
Equifax discovered the unauthorized access on July 29 of this year and
acted immediately to stop the intrusion. The company promptly engaged a
leading, independent cybersecurity firm that has been conducting a
comprehensive forensic review to determine the scope of the intrusion,
including the specific data impacted. Equifax also reported the criminal
access to law enforcement and continues to work with authorities. While the
company’s investigation is substantially complete, it remains ongoing and
is expected to be completed in the coming weeks.

“This is clearly a disappointing event for our company, and one that
strikes at the heart of who we are and what we do. I apologize to consumers
and our business customers for the concern and frustration this causes,”
said Chairman and Chief Executive Officer, Richard F. Smith. “We pride
ourselves on being a leader in managing and protecting data, and we are
conducting a thorough review of our overall security operations. We also
are focused on consumer protection and have developed a comprehensive
portfolio of services to support all U.S. consumers, regardless of whether
they were impacted by this incident.”

Equifax has established a dedicated website, www.equifaxsecurity2017.com,
to help consumers determine if their information has been potentially
impacted and to sign up for credit file monitoring and identity theft
protection. The offering, called TrustedID Premier, includes 3-Bureau
credit monitoring of Equifax, Experian and TransUnion credit reports;
copies of Equifax credit reports; the ability to lock and unlock Equifax
credit reports; identity theft insurance; and Internet scanning for Social
Security numbers – all complimentary to U.S. consumers for one year. The
website also provides additional information on steps consumers can take to
protect their personal information. Equifax recommends that consumers with
additional questions visit www.equifaxsecurity2017.com or contact a
dedicated call center at 866-447-7559, which the company set up to assist
consumers. The call center is open every day (including weekends) from 7:00
a.m. – 1:00 a.m. Eastern time.

In addition to the website, Equifax will send direct mail notices to
consumers whose credit card numbers or dispute documents with personal
identifying information were impacted. Equifax also is in the process of
contacting U.S. state and federal regulators and has sent written
notifications to all U.S. state attorneys general, which includes Equifax
contact information for regulator inquiries.

Equifax has engaged a leading, independent cybersecurity firm to conduct an
assessment and provide recommendations on steps that can be taken to help
prevent this type of incident from happening again.

CEO Smith said, “I’ve told our entire team that our goal can’t be simply to
fix the problem and move on. Confronting cybersecurity risks is a daily
fight. While we’ve made significant investments in data security, we
recognize we must do more. And we will.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170907/5d56a473/attachment.html>


More information about the BreachExchange mailing list