It was only a matter of time before hackers hit the Holy Grail of data jackpots: consumer credit agency Equifax was nailed by a breach that could have essentially exposed everyone with a credit record in the US.
Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.
The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July.
"Criminals exploited a US website application vulnerability to gain access to certain files," Equifax said in a statement late Thursday, without elaborating. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.
This isn't the first time a garden-variety website flaw has been exploited to obtain a massive amount of sensitive data. Associates of Albert Gonzalez, a convicted hacker who was sentenced to 11 years in federal prison, exploited a SQL-injection flaw that helped them obtain data for 130 million credit cards. On Wednesday, exploit code for a nine-year-old code-execution vulnerability in Apache Struts 2—a software framework used by many large financial service websites—went public, but there was no immediate indication that the Equifax site uses it.
You read that right. One hundred forty-three million credit records exposed. Equifax is offering free credit monitoring to anyone affected, but that's pretty much everyone in the US with an Equifax credit file.
Which is, you know, anybody who ever had a credit card or loan application in the last 25 years.
Needless to say, you should consider your identity compromised and should take steps.
Until the next massive data breach, that is. If you're wondering about consequences for Equifax's corporate leadership, well...let's just say they knew what was coming and acted in their own self-interest.
In other words, they knew for over a month and didn't tell anyone, and sold shares before revealing the breach and the crash of Equifax stock.
Three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers.
The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.
Because corporate America.
Sure hope the credit records for these three aren't compromised, ya know? That would be a shame.