Credit monitoring agency Equifax Inc. disclosed Thursday a "cybersecurity incident" that potentially impacts 143 million U.S. consumers -- nearly half of Americans.
From May to July 2017, the company said "criminals" abused a U.S. website application vulnerability to gain access to certain files. The primary information collected includes names, Social Security numbers, birthdays, addresses, and even driver's license numbers. Additionally, approximately 209,000 American consumers had their credit card numbers collected and dispute documents with personal information for approximately 182,000 Americans was collected.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax Chairman and CEO Richard Smith said in a statement. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations."
The company added that it found "no evidence of unauthorized activity on Equifax's core consumer or commercial credit reporting databases." Unauthorized access to "limited personal information" was also detected for certain residents of the United Kingdom.
Equifax said it became aware of the hack on July 29, 2017 and consequently headed an independent cybersecurity firm to conduct a comprehensive review to assess the breadth of the intrusion and what data was affected. Equifax also said it reported the intrusion to law enforcement.
The Federal Bureau of Investigation is investigating the security breach, according to ABC News. Additionally, an independent cybersecurity firm has been hired to provide recommendations to prevent another cybersecurity incident from occurring in the future.
"I've told our entire team that our goal can't simply be to fix the problem and move on. Confronting cybersecurity risks is a daily fight," Smith said. "While we've made significant investments in data security, we recognize that we must do more. And we will."
Equifax has created a website, www.equifaxsecurity2017.com, to assist consumers in determining whether their information has been accessed. Likewise, Equifax is sending direct mail notices to those whose information was retrieved. U.S. state and federal regulators and state attorneys general have been contacted about the incident.