Equifax says personal data of 143 million customers exposed in cyber attack

Credit-reporting company Equifax has just announced a major cyber security breach that has exposed the data of approximately 143 million U.S. consumers.

What data was exposed?

The company says the following data was accessed:

  • names
  • Social Security numbers
  • birth dates
  • addresses
  • driver's license numbers
  • credit card numbers (approx. 209,000 U.S. consumers)
  • dispute documents (approx. 182,000 U.S. consumers)

Equifax says the data of some UK and Canadian residents may have been exposed as well.

When did this happen?

The company discovered the intrusion on July 29 and believes the intrusion happened between mid-May and July 2017.

What did Equifax do when it discovered the intrusion?

The company says it immediately took action to stop the breach. It also hired a cybersecurity firm to learn more about the breach and determine how much data was exposed:

The company promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. While the company's investigation is substantially complete, it remains ongoing and is expected to be completed in the coming weeks.

How can I determine if my data was exposed in the breach?

Equifax has set up a dedicated website, www.equifaxsecurity2017.com where U.S consumers can determine if their data was impacted.

To determine if you were potentially impacted by the breach, you can visit the Equifax security site and enter your last name and the last six digits of your Social Security number (no, the irony is not lost on us). If you were impacted, you'll receive a message indicating just that.

The company is also offering free credit file monitoring and identity theft protection:

The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year.

The company says it will mail out notices to consumers whose credit card numbers and dispute documents were exposed in the breach.

What can I do if my data was exposed in the breach?

You should absolutely take advantage of the free credit file monitoring and identity theft protection. You should also do the following:

  • Obtain a free copy of your credit report from Equifax, Experian, and TransUnion by requesting the documents on the Annual Credit Report site. ( Note: You can do this once a year for free. )
  • Place a credit freeze or fraud alert on your identity. You can learn more about placing a credit freeze here and learn more about placing a fraud alert here.
  • The FTC recommends filing your taxes early. If someone steals your personal data and files your taxes, they can use it to claim a tax refund or get a job.
  • Stay vigilant. Exposed data can be used in fraudulent calls, emails, and other messages.
  • If your driver's license number was stolen, contact your local Department of Motor Vehicles and explain the situation.
  • Visit IdentityTheft.gov for more information.

Mikah Sargent is Senior Editor at Mobile Nations. When he's not bothering his chihuahuas, Mikah spends entirely too much time and money on home automation products. You can follow him on Twitter at @mikahsargent if you're so inclined.

  • Your very own credit bereaus.
  • All the hackers got to do is wait it out a year after the monitoring ends.
    This has me uneasy
  • Unfortunate but inevitable. I better get free credit guard monitoring for a couple years. 😒
  • It's convenient for them to lose our data, and then have the audacity to charge us for continued monitoring services past the free year. If anything, these buttholes who lose our data should give us a lifetime of free monitoring services. This business model is a freaking joke.
  • Well I suppose that's one way to look at it.
  • Their business model is essentially data security. They should not be allowed to do business anymore. Makes me wonder about the other two companies.
  • Trans Union and Experian aren't much better with safeguarding data.
  • "They should not be allowed to do business anymore " Why is it that every time something goes wrong, the first response is "it should be illegal?" Or "it shouldn't be allowed?" I don't get it. But at the same time, given how many people these days are completely ok with giving away the liberties of others (but not their own), I suppose I'm not surprised. Imagine: Android central screws up on the accuracy of a story. Then: " their only business is to write stories. They shouldn't be allowed to do business anymore."
  • The false equivalency is strong. Android Central messing up a story has literally zero bearing on anything important in my life. A company whose sole purpose is to determine my credit worthiness based on knowing quite a bit about me letting all of that personal information get out? Yeah, that's important. If it was possible I would stop doing business with them. Unfortunately that's something that I have no control over.
  • It isn't a false equivalency when the premise for them to be forced to stop doing business is that their business is data security. Same exact thing as not allowing A.C. to write stories due to lack of accuracy within said stories. Is data security more volatile? Absolutely. Not my argument though.
  • AC messing up a story != Company letting 183,000,000 people's personal sensitive information get out. That seems simple. Let me ask. Why should this be ok and legal? Lives are probably going to get ruined because of this. Should they not be accountable for that?
  • The false equivalency is strong. Android Central messing up a story has literally zero bearing on anything important in my life. A company whose sole purpose is to determine my credit worthiness based on knowing quite a bit about me letting all of that personal information get out? Yeah, that's important. If it was possible I would stop doing business with them. Unfortunately that's something that I have no control over.
  • Also, why should it NOT be illegal for them to not take adequate precautions to safeguard the personal data of 183,000,000+ people? I wonder how many lives will be ruined because of this. I wonder if I'll be one of them...
  • Wow the AC app is just utterly bad for blog comments. Apologies
  • Yeah. Comments section is pretty terrible for keeping threads going for long discussion.
  • I might be misinterpreting you, but are you suggesting it should be illegal to be the victim of a hacker? It's not like they openly gave the information away or sold it.
  • if they did not do enough to protect, that is most likely "openly given".
  • That's an oversimplification. The person I replied to suggested that just because something goes wrong doesn't mean it should be illegal. I disagree with that. It definitely could be illegal to fall victim to hackers, if they law is written correctly. Let's say they run certain kinds of equipment, but they didn't apply the latest firmware that patches some security issues. If a patched issue was used to breach the servers, and it could have been presented by a firmware update, is that not negligence? If it was phishing, did they adequately train employees to recognize that? I'm definitely not saying anytime a company gets hacked that company committed a criminal act. But I am saying that there could be times where it could be. Especially when the average American literally has no choice but to entrust the company with very personal information.
  • This happened to experian recently as well!
  • If your worried about the poor executives you don't have to. They didn't release the information about the hack until they dumped their stock before it tanked
  • Yeah, I read about that. C Y A We should be covered for a few years. And I'm sure we will be if something were to come up down the road-a simple reference to this, should give some help.
  • Smells like insider trading.
  • I like how when it's THEIR fault you're stuck with having to fix the problem.
  • Yep
  • Your user name is relevant here.
  • This crap gets tiresome...
  • "What did Equifax do when it discovered the intrusion?" Apparently, execs sold shares. From NBC News, referencing SEC filings: "Adding to the scandal, three of the company's top executives sold Equifax shares just days after the breach was discovered. The breach was not publicly disclosed until Thursday, more than six weeks later. John Gamble, chief financial officer; Jospeh Loughran, president of U.S. information security and Rodolfo Ploder, president of workforce solutions solutions sold shares days after the company was aware of the breach, according to SEC filings. Bloomberg, which first reported this, estimated the total value of shares sold to be $1.8 million." Heh.
  • I hope they nail these bastards to a wall for insider trading.
  • There's no way they did this illegally and especially not for that small a sum given the penalties (including being banned from being an executive officer of a public company). Most public companies have programs for executives that automatically sell stock at specified intervals. This allows executives to not worry about what happens and still sell their stock. As long as they didn't change their participation in the program during a time when they knew about this, it is completely legal.
  • Time to get Life Lock.
  • Life Lock is just as bad as some of the credit monitoring services. Their problem is the delay in real time data.
  • Dang! I was going to subscribe to them too.
  • Their biggest problem and it isn't only Lifelock is that the alerts when your identity is used it takes a couple days for them still to alert you that your information might have been used.
  • Ah okay. That's a bummer.
  • yup, I was affected according to them......man
  • Me too. I entered a random name and number, and it said that may have been affected too. So, who knows?
  • It says I was, but that my wife wasn't. So I am not sure what to believe.
  • That's odd.
  • That's weird. I checked my wife's too, but it said she may have been affected as well. This **** is so freaking annoying.
  • Maybe you didn't enter your wife's REAL Social Security Number, and she's been living with you under an assumed alias all this time. Can you really be sure that your wife isn't a Russian sleeper agent? Now if you'll excuse me, I have some tinfoil hats to make.
  • You bring up very valid points here. I thought it was odd that she says she was born in Nebraska but I have never met her family. And she loves vodka. And speaks Russian. Odd.
  • And yet people still think that they can store their data in cloud services such as Google Drive, iCloud, Amazon, Outlook and still feel that their data is safe? Somehow as time goes on, I don't think so. Lots of breaches over the past number of years. How many others occur that we never hear of?
  • Ironically, so far not a single one of these breaches has occured through cloud providers. I'm sure that too will happen. But for now, the theory that cloud is less secure is not holding up. Still your point is valid. Our data is not secure.
  • I thought Apples icloud system was hacked a few years ago?
  • Hey, I know....We should all be issued new SSN's. Call it the 'clean slate scandal'
  • Ye any no one actually has a choice to be with these
  • The problem is people will spend as little as they have to to be in accordance with the law
  • And what do the customers in other countries do to deserve if they have been affected?
  • Be careful signing up for the free credit monitoring, they say it contains language that prevents you from joining a class action lawsuit against the company. Please read the fine print.
  • Good point.
  • I never used Equifax.
  • I just tried to call Equifax main 800 number cause it said I was part of the hack but did not give me any steps to continue signing up for the free service. The 800 number just gave me a busy signal!! 😱😢
  • When I hit the submit button, the page instructed to come back on the 14th in order to enroll into TrustedID Premier.
  • Considering how many were affected, and how many employees they likely have (probably a LOT less than 1 million), a busy signal isn't surprising. I'd actually expect "reorder" (a fast busy signal).
  • Also, just to put it out there. Their message just told me they only open for taking calls at 9am.
  • They didn't say which timezone?
  • I froze my credit reports anyways so good luck using it.
  • Oh my. This is the worst combination of facts I've ever seen in one place acting so many people in my life. The executives should be hung. The fact that they knew about it and didn't announce it. The fact that they sold stock after they knew. And the fact that we now actively have to protect our own credit. This is egregious.
  • Sweet. And since when did I give Equifax permission to have my information anyways?
  • Ever sign an agreement allowing you to take out a line of credit in the US? That was when.
  • Oh maybe that's what is in the fine print.
  • Yeah. Any time you do anything that requires a credit check, you consent to have the creditor (credit card company, mobile carrier, car loan holder, etc) report to and take information about you from the credit reporting bureaus. You can see what information the three major bureaus have on you once a year through annualcreditreport.com.
  • This x1000!
    I always wonder how this whole credit rating system got started. I didn't give any of these organizations my permission or my information. They've taken it against my will. Then when you find they have incorrect information, they're not responsible for any of the issues it can cause you. They can literally destroy your life with wrong information. And on top of all that, they make it almost impossible to correct the wrong information they have. I've been trying to get my dad's info off my credit report for the last 30 years with no luck.
  • We should sue the pants off of this company.
  • Bummer! I checked and received a reply saying my "personal information may have been impacted by this incident."
  • Most interesting, I already have their credit monitoring program and heard nothing about this until watching the news last night. Aholes!
  • That's just lovely, the idiots you try to appease your whole life so your credit doesn't tank helps to tank it for you.
    Screw them!!
  • Unless the hackers are identified, one has to wonder if the data breach was orchestrated by the bureau itself as a way to sell more protection programs. Free protection for only one year? It should be for life in situations like this.
  • I saw this about Equifax on CNBC. They said that if you sign up for the free credit monitoring Equifax is offering, it automatically opts you out of any class action law suit that could occur. Once word got out that Equifax was included this clause, they got a lot of pressure to remove it...as of now, I'm not sure if it remains or not- just an FYI for everyone.