The Atlanta, Ga.-based office of consumer credit-reporting agency Equifax Inc. announced Thursday that it had been the victim of a cybersecurity breach that may affect approximately 143 million consumers, including some Canadians.
The majority of information accessed in the breach included names, social security numbers, birth dates, addresses, some driver’s licence numbers, the credit card numbers for approximately 209,000 U.S. consumers, and dispute documents with personal identifying information for approximately 182,000 U.S. consumers.
The company also discovered unauthorized access to what CBC News reported as “limited personal information” for some Canadian and U.K. residents, but did not disclose the number of people affected.
In a statement, Equifax said that it will work with U.K. and Canadian regulators to “determine appropriate next steps,” adding that it has “found no evidence that personal information of consumers in any other country has been impacted.”
We recently discovered a cybersecurity incident involving consumer information. Once discovered, we acted immediately to stop the intrusion.
— Equifax Inc. (@Equifax) September 7, 2017
Though Equifax only reported the breach this week, the unauthorized access occurred between mid-May and July 2017. According to the company’s internal investigation, perpetrators exploited a U.S. website application vulnerability to access the files.
After the announcement, a Bloomberg investigation revealed that three Equifax executives had sold their company stock before the hack was revealed, though according to the company the trio had not yet been informed of the incident.
In a statement emailed to ITBusiness.ca, David Masson, Canada country manager of cybersecurity firm Darktrace, said that Canadian companies should view the breach as a cautionary tale.
“Time and time again, we have seen attacks of this scale plague the news,” Masson said. “It is clear that companies have a huge visibility problem – they simply cannot see what is happening inside their own networks.”
“New cyber-attacks are increasingly inconspicuous – in Equifax’s case, able to exfiltrate data from the network for almost two months without sounding any alarms,” he continued. “With 143 million accounts potentially breached, cyber-criminals are undoubtedly succeeding in undermining consumer confidence in organizations’ ability to keep our information private.”
“Companies need to ask themselves a crucial question: how do you stop the attacker already inside your network, before it escalates into a crisis?”