A security breach at credit-monitoring company Equifax Inc. that could affect up to 143 million people in the United States has also exposed "limited personal information" for an undisclosed number of Canadians.
The Atlanta-based company, one of three major credit bureaus in the United States, said on Thursday that "criminals" exploited a U.S. website application to access files between mid-May and July of this year.
Information obtained included consumers' names, social security numbers, birthdates, addresses and, in some cases, drivers licence numbers. Equifax said its core credit-reporting databases don't appear to have been breached. Equifax did not indicate how many Canadians could be affected or in what way, other than to say it involved limited information of residents of Canada and Britain. The company declined to provide more information on Thursday.
"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan. "Credit bureaus keep so much data about us that affects almost everything we do."
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards.
The amount and type of information Equifax holds make it a prime target for hackers, said Hasan Cavusoglu, associate professor of the accounting and information systems division of the UBC Sauder School of Business in Vancouver.
"Every company will have some exposure to risk depending on the kinds of information they keep about their customers," he said. "The more information you keep, the more likely it is that adversaries will target your organization.
"If we create these 'superentities' – like super data collection companies – we are collecting much larger data sets and they will be more likely to be targeted," Prof. Cavusoglu said.
Equifax discovered the hack July 29, but waited until Thursday to warn consumers. The company declined requests for additional comment. It's not unusual for U.S. authorities to ask a company hit in a major hack to delay public notice so that investigators can pursue the perpetrators.
The company established a website, equifaxsecurity2017.com, where people can check to see whether their personal information may have been stolen. Consumers can also call 866-447-7559 for more information.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax chief executive officer Richard Smith said in a statement. "I apologize to consumers and our business customers for the concern and frustration this causes."
This isn't the biggest data breach in history. That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than one billion of its users' accounts throughout the world.
Any data breach threatens to tarnish a company's reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.
"This really undermines their credibility," Ms. Litan said.
Equifax's stock dropped 13 per cent to $124.10 (U.S.) in extended trading after its announcement of the breach.
Three Equifax executives insulated themselves from that downturn by selling shares worth a combined $1.8-million just a few days after the company discovered it had been hacked, according to documents filed with securities regulators.
The sales, executed on Aug. 1 and 2, were made by: John Gamble, Equifax's chief financial officer; Rodolfo Ploder, Equifax's president of work-force solutions; and Joseph Loughran, Equifax's president of U.S. information solutions. Bloomberg News first reported the divestitures.
In addition to the personal information stolen in its breach, Equifax said the credit card numbers for about 209,000 U.S. consumers were also taken, as were "certain dispute documents" containing personal information for approximately 182,000 people in the United States.
With reports by Bloomberg News and the Associated Press