Equifax data breach may affect nearly half the US population

Hackers steal sensitive personal information on as many as 143 million people from the credit reporting firm.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Alfred Ng
Steven Musil
4 min read
Watch this: Equifax breach: Were you one of the 143 million affected?

Hackers stole a treasure trove of financial data from a top credit-reporting company, potentially exposing the personal information of roughly half the US population.

Equifax said Thursday that thieves stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched from mid-May and July. The data taken affected as many as 143 million people.

The number of affected people is roughly half of the US population of 323 million. The number reported by Equifax doesn't include victims from around the world. 

"This is clearly a disappointing event and one that strikes at the heart of who we are and what we do," Equifax CEO Rick Smith said in a video released Thursday. In a separate statement, Equifax said it is working with law enforcement on an investigation. 

The breach, which was particularly potent because one company held such a large amount of sensitive information, is among the largest in US history and the biggest known leak of 2017. Yahoo lost data on roughly a record 1 billion accounts in 2013, the web portal said last year.

You can check if your data was leaked at Equifax's website. Here's a step-by-step on how to find out if you were affected by the Equifax hack.

Worried consumers, however, expressed frustration with a tool the company launched to help them determine if their personal information had been stolen.

Equifax learned about the breach on July 29 but didn't reveal it for more than a month. The hackers stole credit card numbers of about 209,000 people and also got documents with personal information on 182,000 victims, Equifax said in a statement to its investors.   

People in the UK and Canada have also been affected by the breach, the company said. It has stopped the breach and is still investigating who was behind the break-in.

"Criminals exploited a US website application vulnerability to gain access to certain files," Equifax said in its statement.

Companies like TargetHome Depot and Sony have offered free credit monitoring through Equifax after they suffered breaches, and Equifax is one of three major companies that monitor credit scores after data breaches. Equifax is offering its own credit-monitoring service to people affected by its own breach.

The protection includes free identity theft protection and credit monitoring for the next year. 

"Given that financial institutions, including credit card companies, banks, credit unions, retailers and lenders report the details of credit activity to Equifax, the 143 million consumers affected may not even be aware the company has this information on them," Theresa Payton, who runs Fortalice Solutions, a security company, said in an email.

Sen. Mark Warner (D-Virginia), the vice chair of the Senate Intelligence Committee, called Equifax's revelation "profoundly troubling" and suggested it was time for Congress to weigh in on stronger data protection standards for consumers.

Warner said the hack "raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans."

Equifax's revelation of the breach was complicated by news three executives had sold shares of the company after the hack was uncovered. The executives, including the company's chief financial officer, sold shares worth almost $1.8 million three days after the breach was discovered and several weeks before it was made public, according to regulatory filings.

The Securities and Exchange Commission bars corporate insiders such as executives, employees and directors from buying or selling stock in their company while in possession of material information not yet made public. Equifax denied the executives sold their shares based on insider information.

"The three executives who sold a small percentage of their Equifax shares on Tuesday, August 1, and Wednesday, August 2, had no knowledge that an intrusion had occurred at the time they sold their shares," Ines Gutzmer, Equifax's chief of corporate communications, said.

Equifax's stock, which had been up in regular trading, dropped more than 13 percent in after-hours trading following the announcement.

This story was originally published a 2:25 p.m. PT.

Updated at 7:50 p.m. PT: To correct Sen. Warner's political affiliation.

Updated at 6 p.m. PT: To include consumer and Sen. Warner reactions.

Updated at 4:10 p.m. PT: To include executive stock sales and after-hours trading.

Updated at 3:06 p.m. PT: To include details about Equifax and statements from an expert.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.