Correction: Equifax-Cyberattack story

Posted September 8

This July 21, 2012, photo shows Equifax Inc., offices in Atlanta. Credit monitoring company Equifax says a breach exposed social security numbers and other data from about 143 million Americans. The Atlanta-based company said Thursday, Sept. 7, 2017, that "criminals" exploited a U.S. website application to access files between mid-May and July of this year. (AP Photo/Mike Stewart)

— In a story Sept. 7 about the cyberattack on Equifax, The Associated Press reported erroneously that Experian is offering free credit monitoring to all U.S. consumers for a year. It is Equifax that is offering the free credit monitoring.

A corrected version of the story is below:

Equifax breach exposes 143 million people to identity theft

Credit monitoring company Equifax says a breach exposed Social Security numbers and other data from 143 million Americans


AP Technology Writer

Credit monitoring company Equifax has been hit by a high-tech heist that exposed the Social Security numbers and other sensitive information about 143 million Americans. Now the unwitting victims have to worry about the threat of having their identities stolen.

The Atlanta-based company, one of three major U.S. credit bureaus, said Thursday that "criminals" exploited a U.S. website application to access files between mid-May and July of this year.

The theft obtained consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers. The purloined data can be enough for crooks to hijack the identities of people whose credentials were stolen through no fault of their own, potentially wreaking havoc on their lives. Equifax said its core credit-reporting databases don't appear to have been breached.

"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan. "Credit bureaus keep so much data about us that affects almost everything we do."

Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.

Equifax discovered the hack July 29, but waited until Thursday to warn consumers. The Atlanta-based company declined to comment on that delay or anything else beyond its published statement. It's not unusual for U.S. authorities to ask a company hit in a major hack to delay public notice so that investigators can pursue the perpetrators.

The company established a website,, where people can check to see if their personal information may have been stolen. Consumers can also call 866-447-7559 for more information. Equifax is also offering free credit monitoring to all U.S. consumers for a year.

"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax CEO Richard Smith said in a statement. "I apologize to consumers and our business customers for the concern and frustration this causes."

This isn't the biggest data breach in history. That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users' accounts throughout the world.

But no Social Security numbers or drivers' license information were disclosed in the Yahoo break-in.

Equifax's security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person's identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people.

Any data breach threatens to tarnish a company's reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.

"This really undermines their credibility," Litan said. It also could undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.

Equifax's stock dropped 13 percent to $124.10 in extended trading after its announcement of the breach.

Three Equifax executives insulated themselves from that downturn by selling shares worth a combined $1.8 million just a few days after the company discovered the breach on July 29, according to documents filed with securities regulators.

The sales, executed on August 1 and August 2, were made by: John Gamble, Equifax's chief financial officer; Rodolfo Ploder, Equifax's president of workforce solutions; and Joseph Loughran, Equifax's president of U.S. information solutions. Bloomberg News first reported the divestitures.

In a subsequent statement, Equifax said the three executives "had no knowledge that an intrusion had occurred at the time they sold their shares."

The potential aftershocks of the Equifax breach should make it clear that Social Security numbers are becoming an unreliable way to verify a person's identity, Nathaniel Gleicher, the former director of cybersecurity policy in the White House during the Obama administration, said in an email statement.

"This breach might just have put the nail in the coffin of the idea that we can use personal identifiers like Social Security numbers as security factors," wrote Gleicher, who now oversees cybersecurity strategy for computer security firm Illumio.

In addition to the personal information stolen in its breach, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were "certain dispute documents" containing personal information for approximately 182,000 U.S. individuals.

Equifax warned that hackers also may have some "limited personal information" about British and Canadian residents. The company doesn't believe that consumers from any other countries were affected.


Please with your account to comment on this story. You also will need a Facebook account to comment.

Oldest First
View all
  • Nicolle Leney Sep 8, 3:27 p.m.
    user avatar

    Also, in order to find out if you are affected, you have to go on the site and give your last name and the last SIX digits of your SSN! Even though it says it's secure, I'm sure those files were supposed to be secure as well.

  • Nicolle Leney Sep 8, 3:26 p.m.
    user avatar

    Heads up, according to the Washington Post (, "buried in the terms of service is language that bars those who enroll in the Equifax checker program from participating in any class-action lawsuits that may arise from the incident."

    Not sure if this means just checking to see if you've been hacked or signing up for the 1-year free identity theft protection and credit file monitoring. But another WP article ( notes that "Several people who took the leap and submitted their information to Equifax said on Twitter and elsewhere that after signing up, Equifax did not disclose whether their personal data was impacted by the massive breach. Instead they received an enrollment date for the credit monitoring program."

  • Jeffrey Derry Sep 8, 1:09 p.m.
    user avatar

    They should be investigated and if guilty thrown in jail........#equifax

  • Wayne Hill Sep 8, 8:57 a.m.
    user avatar

    What is audacious is they have the arrogance to judge people's credit worthiness, when their's is the height of financial malfeasance.

  • Janet Ghumri Sep 7, 9:43 p.m.
    user avatar

    sooooo, they "discovered" the breach in late July, and August 1st and 2nd three of the big dogs of the company cashed out over one and a half million dollars worth of shares to (ahem) insulate themselves from the projected downturn in the stock value. Then the breach goes unreported until September?? I don't care who told them (if, in fact, anyone did) to delay reporting the theft, I think those executives should be criminally prosecuted, and fined the full ammount of the stocks they dumped on the market.
    This is a story about two thefts at Experian! How disgusting that they have the authority to disclose the credit scores for millions of hard working people, yet they are robbed blind and take the opportunity to profit from it. smh

  • Kelly Thornburg Sep 7, 6:45 p.m.
    user avatar

    They do not want folks to sign up for this stuff. The instructions are cryptic, and the steps keep taking you back through the same loop over and over again. What a bunch of quacks.

  • Nick Edwards Sep 7, 6:24 p.m.
    user avatar

    Guarantee they still use a windows xp platform on their servers. These companies don't care about anything but profit.