Credit referencing firm Equifax has reported a cyber-breach which spilled the personal details of approximately 143 million US consumers. The company says unidentified intruders exploited a US website application vulnerability to gain access to certain files over a three-month period between May and July of this year.
The information leaked primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver's license numbers.
In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.
Equifax also identified snooping activity relating to "limited personal information" for a number of UK and Canadian residents.
The company says it has found no evidence of unauthorised activity on its core consumer or commercial credit reporting databases.
Equifax chairman and CEO, Richard Smith, says: "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes"
The firm has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection.
Commenting on the leak, Chris Morales, head of security analytics at Vectra, says: “Equifax needs to raise their cybersecurity score. Enterprises have to realise they cannot address cybersecurity by simply spending money on intrusion prevention solutions and instead need to shift investments to detection and response solutions that are being used by today’s advanced attackers. The cyber attackers gained a foothold by seemingly exploiting a web application vulnerability. From there, they most likely escalated privileges, abused credentials and admin protocols, moving laterally through the network, which businesses rarely have the necessary tools to detect.”
Equifax CEO Smith retorts: "I've told our entire team that our goal can't be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will."