United States-based credit monitoring agency Equifax had its systems vulnerable since March of this year. However, hackers did not take advantage of these flaws until mid-May when they infiltrated the unpatched Equifax web application.
At least 15.2 million client records were exposed to the cyber breach, including 693,665 customers who had sensitive information stolen.
But it wasn’t until recently that Equifax finally disclosed that a cyber attack had hit the firm. However, they underestimated the number of customers affected, claiming there were less than 400,000. The revised figure comes after Equifax data breach investigators discovered that hackers had managed to access and steal other files as well.
The number of customers actually affected by the Equifax cyber attack counts to 145 million people in total, with most victims residing in the U.S. Most of them have had their information compromised including birth dates, social security numbers, email addresses, phone numbers and passwords. The exposed data also included partial credit card information of 15,000 users and driver license numbers of close to 10.5 million Americans.
This massive hack was blamed on Equifax’s failure to fix an Apache Struts patch, a loophole that had previously raised vulnerability concerns.
The credit reference agency, which holds details for 820 million consumers and about 91 million companies based in the U.S., Europe, Australia and other regions, initially said the compromised customer records did not contain any information. The company also assured its customers that identity theft was very unlikely to occur.
However, security experts in the U.K. and U.S. warned that it was possible for cybercriminals to use these details in retrieving full payment details. Equifax alerted the National Cyber Security Centre about the incident, which has issued an advisory statement to the affected customers.
At the same time, the credit company stated that it would notify the 693,665 U.K. victims and provide some risk-mitigation products to help the affected consumers minimize possible criminal activities.
Equifax is now facing heaps of criticism from its consumers, regulators and the government over how it handled the data leak which occurred in May and remained undisclosed until September 7. Additionally, the agency could potentially face political backlash as Nicky Morgan, the national head of treasury, has now demanded answers as to why Equifax took so long to inform U.K. customers about the cyber attack.
Morgan has also written to Patricio Remon, Equifax’s European chief, asking for the entire scope of the widespread cyber security breach, and what compensation measures will be provided to affected consumers. She also sent a letter to the U.K.’s Financial Conduct Authority (FCA) to monitor Equifax operations in the country.
Morgan said that Equifax left people in the dark for too long, increasing the possible risks that they’ll fall victim to online fraud, identity theft and other criminal activities.
The Treasury Committee members also added that they would take action against Equifax, particularly if they do not receive a detailed and timely response to their questions. Since the hack attack was reported, the chief executive officer, chief security officer and chief information officer at Equifax have all resigned.
In response to the issue, Remon sent his sincere apologies to everyone impacted by the cyber attack. He added that it would have been inappropriate for the agency to notify all customers affected until all details of the attack were known and a full forensics investigations report was released.
Remon insisted that protecting the data of consumers and clients has always been the company’s top priority. He also requested that everyone who receives a letter from the agency to take action as advised. Equifax would offer some remedial services and a one-week helpline to assist affected consumers in protecting their identity.
Both political movements and federal agencies are clamping down on credit companies following the industry’s largest data breach. They are calling for a complete transformation of Equifax and the entire lot of industry partners that seem to disregard the security of their customers.
It is likely that Equifax will be summoned before the U.K. committee and House of Commons—especially now after Rick Smith, Equifax’s head of U.S. operations who resigned a few weeks ago, was asked to appear before a U.S. Congressional Committee.