Equifax said the breach was the result of exploitation of a U.S. website app.
Equifax said the breach was the result of exploitation of a U.S. website app.

Cybercriminals gained unauthorized access to Equifax files in a breach that could affect as many as 143 million consumers in the U.S., the company said Thursday.

Thursday's disclosure cast a wary eye on the timing of a stock sell-off by three Equifax senior executives just three days after the company discovered the breach. Chief Financial Officer John Gamble, President of U.S. Information Solutions Joseph Loughran, and President of Workforce Solutions Rodolfo Ploder sold more than $1.8 million of shares, not of which seemed to be attributed to 10b5-1 pre-scheduled trading plans, according to a Bloomberg report

Social Security numbers, birth dates, addresses and driver's license numbers were among the information accessed during the incident, which occurred between mid-May and July 2017. The hackers also accessed credit card information of about 209,000 U.S. consumers and dispute documents that included personal identifying information for about 182,000 consumers.

Equifax learned of the data breach on July 29, which it said was the result of exploitation of a U.S. website app, and brought in an outside security firm to do the forensics. 

"It should be noted, also, that this breach did not happen by the more popular social engineering style attacks such as a phishing email compromising an employee's system or a malicious insider leaking the data, but rather, this was due to an application vulnerability in one of their websites," said Nathan Wenzler, chief security strategist at AsTech. "This is something we in the security community continue to see rising, as organizations are getting better and better at defending servers, workstations and laptops, the cyber criminals simply move on to the next easiest target, which is most commonly the organization's web applications." 

Wenzler said regardless of industry, it's no longer good enough to just defend internal systems. "More and more, a comprehensive security strategy is absolutely necessary that covers education, technical security controls for servers and other assets, network security and stronger software development practices that create secure applications during development and not tacked on after the fact. Hackers will find the easiest path to steal data, and organizations must be more diligent about making security part of every aspect of their technology infrastructure and development efforts.”

The “massive, and unfortunate” breach “once again amplifies the need for better application security testing and assurance on a continuous basis,” said CYBRIC CTO Mike Kail. “The status quo isn't working as these types of exploits are becoming all too common." 

Equifax acknowledged that the incident was a disappoint to a company charged with handling and protecting information.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax Chairman and CEO Richard F. Smith said. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.  We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."

The credit information company has created a dedicated website to assist consumers in determining if theirs is among the information affected. They can sign up for ID theft protection and credit monitoring services at the site. Equifax is also mailing out notices to consumers whose credit card numbers or dispute documents containing PII were affected by the breach.

While U.S. consumers seemed to be in the crosshairs in this incident, the company's probe also uncovered unauthorized access to “limited personal information” for some residents in the U.K. and Canada.

Matt Schultz, senior industry analyst at CreditCards.com advised consumers to be diligent “and not just in the short term,” noting that “bad guys can be very patient, so it's important to keep an eye out long after this story fades from the headlines."

“We think nothing of checking Facebook or Instagram 10 times a day, but many think it is too much to ask to check your bank statements once a week,” said Schultz. “It's not. It's easy to do, doesn't take long and can help you spot problems before they get out of control."