Half of US citizens' info exposed in data breach

Personal information of around 143 million US citizens — around half of the nation’s population — may have been stolen from credit reporting agency Equifax in a major data breach.

The company announced it has discovered that criminals exploited a website vulnerability to gain unauthorised access to information including names, social security numbers — the rough equivalent to a tax file or Medicare number — birth dates, addresses and in some cases, driver’s licence numbers.

Credit card numbers for around 209,000 US consumers and dispute documents with personal identifying information of 182,000 US consumers were also accessed.

Attackers also gained access to limited personal information from some UK and Canadian residents. But Equifax Australia, the company’s local subsidiary, has tweeted that there is no evidence that personal information from any Australian or New Zealand consumers has been accessed.

Equifax discovered the data breach on 29 July and promptly engaged an independent cybersecurity company to conduct a forensic review into the attack, the company said. This investigation is mostly complete but is still ongoing.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologise to consumers and our business customers for the concern and frustration this causes,” Equifax Chairman and CEO Richard F Smith said.

“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all US consumers, regardless of whether they were impacted by this incident.”

These will include free credit monitoring and identity theft protection for one year for US consumers and a dedicated call centre for helping consumers.

But despite Smith’s strong claims about Equifax’s commitment to security, an investigation by the New York Times found that the company was generating personal identification numbers for freezing their credit files using a transparent algorithm based on the date and time of a freeze request.

Forcepoint Chief Scientist Dr Richard Ford said the incident demonstrates how important it is for companies engaged in the mass collection of personal information to have robust systems in place to protect this information.

“The more sensitive the data the greater the liabilities caused by a breach. The threats to this data are diverse, ranging from the apparent hack disclosed here to accidental loss by authorised users,” he said.

“Focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to augment legacy defences with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of people, data and systems can become the critical point for effective security and compliance.”

Shares in Equifax on the New York stock exchange shrank more than 13.6% in after-hours trading to US$123.23 ($153.16) after the company disclosed the breach.

According to research conducted by the Ponemon Institute for Centrify, disclosures of a high-profile data breach are often accompanied by a shrinking stock price.

The duration of the decline depends on the company’s reaction — companies with a high-security posture that responded quickly to the data breach recovered their stock value after an average of seven days, but companies with a low-security posture that took time to respond experienced a stock price decline that on average lasted more than 90 days.

Image credit: ©stock.adobe.com/au/stokkete

Follow us and share on Twitter and Facebook