Equifax, one of the three major consumer credit reporting agencies, said yesterday that hackers had gained access to company data and compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers. Additionally, Equifax said that credit card numbers for about 209,000 U.S. customers were exposed, as was “personal identifying information” on roughly 182,000 U.S. customers involved in credit report disputes.
The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cybersecurity threat for the agency since 2015.
Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software.
Unlike other data breaches, not all of the people affected by the Equifax breach may be aware that they’re customers of the company. Equifax gets its data from credit card companies, banks, retailers, lenders and other institutions who report on the credit activity of individuals to credit reporting agencies.
To see if your personal information is potentially impacted, you can go here, click “Am I impacted” and submit name and the last six digits of your social security number. You can also proceed to enroll in complimentary identity theft protection and credit file monitoring. However, be careful. At first, Equifax said anyone who gets the credit monitoring service, TrustedID, must agree to submit any complaints about it to arbitration. Those people wouldn’t be allowed to sue, join a class-action suit, or benefit from any class-action settlement. After public pressure, Equifax added an opt-out provision on Friday. Customers can get out of the arbitration requirement by notifying Equifax in writing within 30 days of accepting the monitoring service. It might be safer to skip it for now.
In other related news, three senior Equifax executives sold a combined $1.8 million in company stock just days after the company discovered a massive security breach. But I doubt there’s any wrongdoing there because the company said the executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”
Update: Here’s a report of actions taken by Equifax.