One of the largest security breaches ever has come to light today as Equifax revealed attackers used an exploit on its website to access records for 143 million US citizens (for reference, the US has a population for 323 million or so, that's about 44 percent). The oldest of the three major US credit bureaus, it maintains information on over 800 million people for credit and insurance reports, which is also a juicy target for anyone trying to steal data. Equifax says the breach lasted from mid-May through July 29th when it was detected.
The criminals had access to information that could allow them to create or take over accounts for many of the people impacted since they have names, addresses, birth dates, social security numbers and "in some cases" drivers license numbers. An unspecified number of UK and Canadian residents were hit, plus the credit card numbers for 209,000 people and certain dispute documents for 182,000 people in the US.
So what do you do now? Equifax has set up a website offering credit monitoring and identity theft protection to all US residents free for one year, if that will help. Its TrustedID Premier setup does "3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers." Since the company is only directly notifying the people whose credit card info or dispute documents were leaked, registering on the website or calling its hotline (866-447-7559) may be the only way to know for sure if you were impacted.
The number of people impacted combined with the amount of information Equifax holds (and has now leaked) may make this the biggest security breach among the many we've seen over the last few years. Yahoo gave up info on over one billion accounts, but it didn't have social security and drivers license numbers. The same goes for Adult Friend Finder, eBay, Ashley Madison and others. Hacks that affected Anthem (80 million people), the US government's Office of Personnel Management (5.6 million), JP Morgan Chase (76 million) and Heartland Payment Systems (134 million) may be closer comparisons.
Adding insult to injury, after breaches like the one that hit Target for info on 40 million people, consumers were offered free credit monitoring through -- wait for it -- Equifax.
Update: Additionally, Bloomberg reports that three Equifax senior execs, including CFO John Gamble, sold $1.8 million in stock between the time the breach was found and when it was announced today.