Equifax revealed a huge data breach on Thursday, affecting 143 million customers of its credit and information services.
The credit reporting agency said the breach included information on names, birth dates, Social Security numbers, addresses, and some driver's license numbers. It also included more than 200,000 credit card numbers and nearly 200,000 other documents with personal identifying information. It said the breach did not appear to impact its core consumer or commercial credit reporting databases.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Chairman and Chief Executive Officer Richard F. Smith said in a statement. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."
Equifax said the breach was discovered on July 29, and the company "acted immediately to stop the intrusion." It said it has engaged a "leading, independent cybersecurity firm" – though didn't name the company – and is already working with law enforcement.
Equifax said its preliminary investigation found the breach was due to a vulnerability in a U.S. website application, which allowed hackers access to certain files.
Michael Knight, CTO of Greenville, S.C.-based Encore Technology Group, said the breach highlights the importance of full application vulnerability review, as well as having the right tools in place for logging, spotting anomalous behavior, and ongoing security checks.
"Typically speaking these types of things are a breakdown of some basic policy and routine procedures … For a huge, very profitable financial entity to have this happen, most likely they had a lot of different tools but probably not a good visualization and anomalous detection tool in place," Knight said.
What's key, Knight said, is following a multi-layered approach, that tests the application for vulnerabilities at all levels, including the application itself, the web server, operating system, other applications it communicates with, and more. He said that also includes ongoing red teaming and blue teaming to weed out other unknown vulnerabilities.
"When as big as Equifax – and I'm not saying they don't have these type of exercises – but when you're that big and protecting that much information, that needs to be an extensive amount of your practice," Knight said.
Equifax CEO Smith said in a statement that the company has already engaged with a leading cybersecurity firm to help improve its internal security.
"I've told our entire team that our goal can't be simply to fix the problem and move on. Confronting cybersecurity risks is a daily fight. While we've made significant investments in data security, we recognize we must do more. And we will," Smith said in a statement.
Equifax said it would notify customers impacted by the breach by mail. It said it would also provide those impacted with credit monitoring and identity protection services for one year.