Massive Data Breach At Equifax: As Many As 143 Million Social Security Numbers Hacked

Credit-reporting company Equifax shocked investors, and more than a third of America, when it announced on Thursday afternoon that hackers had breached its data systems, compromising the personal information of approximately 143 million U.S. consumers. The information accessed "primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers." In other words, pretty much everything that should have been hidden behind an n-number of firewalls, is now available to the dark net's highest bidder. 

The company, which in delightful irony offers credit-monitoring and identity-theft protection products to "guard consumers’ personal information", said that it had learned of the incident on July 29, 2017, at which point it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review: based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. Oddly enough, it took shareholders and over a third of America, more than a month longer to learn that all their personal data may have been compromised.

As if 143 million leaked social security numbers wasn't enough, Equifax said that criminals also accessed credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers. But wait, there's more: the company also identified unauthorized access to limited personal information for certain UK and Canadian residents.

The good news, is that according to Equifax, "this issue has been contained." The bad news is that, well, as many as 143 million social security numbers have been hacked. So no, it's not contained.

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”

In a Q&A posted on the company's website, the management team revealed what's really important with the following question and answer:

Does this cybersecurity incident impact your capital allocation priorities going forward?

 

Our capital allocation priorities are unchanged at this time. As we have previously indicated, our investment priorities in order of importance are: (1) internal investment; (2) dividends; (3) acquisition; and (4) share repurchase. We do, however, expect to increase our capital spending in an effort to further accelerate IT infrastructure, systems and data security and resiliency improvement actions.

Oh, good, because a hack involving 143 million SSNs is one of those cases where capex probably should have taken precedence over stock buybacks.  Don't worry though, because as it explains in the same quesionnaire, "Equifax remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers."

Uhm, after this... what customers?

After falling as much as 12% in the after hours, EFX stock stabilized... then fell as much as 19%.

And now the best news: with Putin clearly behind this hack - as "all 17 intelligence agencies", WaPo and NYT will shortly "confirm" - the US economy is about to undergo a renaissance as hundreds of millions of (unsolicited) purchases prompt a golden age for US retailers while sending Amazon market cap into the $1 trillions...  even if the shipping address for said purchases happen to be small, frigid villages deep in the Russian taiga.

Full statement from Equifax here.

Update:

In appears there was a reason why EFX decided to hold on to the hacking news a little longer than seems reasonable. As Bloomberg reports, "three Equifax Inc. senior executives sold shares worth almost $1.8 million in the days after the company discovered a security breach that may have compromised information on about 143 million U.S. consumers."

The credit-reporting service said late Thursday in a statement that it discovered the intrusion on July 29. Regulatory filings show that three days later, Chief Financial Officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of U.S. information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.

Surely, it was all purely a coincidence, even though had they waited until today, their proceeds would be well over 10% lower...

Comments

MillionDollarButter N2OJoe Thu, 09/07/2017 - 18:30 Permalink

They shouldn't be able to get out of this by offering 12 months of:"Equifax ID Patrol™$16.95 / monthEquifax ID Patrol provides 3-Bureau credit file monitoring1. If you see unusual activity, you have the power to lock and unlock your Equifax credit file online – helping better protect your identity and monitor the credit you’ve worked hard to earn."It needs to be lifetime free, and provided by a third party.

In reply to by N2OJoe

CheapBastard tmosley Thu, 09/07/2017 - 19:04 Permalink

And remember the "data breach" at gubmint offices where millions of those numbers were hacked.I won't get into targets data breach of 45 million if I remember correctly and they sat on it fo rmonths before notifying cusotmers.Odd, they're quick to enforce Obama's Tranny-Pedo bathroom policies, but slow on trivial matters like all your fucking personal data stolen!

In reply to by tmosley

aurum4040 tmosley Thu, 09/07/2017 - 20:30 Permalink

Imagine that, another accurate, true blockchain statement downvoted by the crypto ignoramuses. For the uninitiated - Monero (XMR) excels in the  fully obfuscated/untraceable and immutable categories. Perhaps Equifax needs a little XMR in their lives? Perhaps Monero or another Crypto simply displaces the big 3? And this would be small peanuts in comparison to the crypto possibility/probability pie.https://hbr.org/2017/03/blockchain-will-help-us-prove-our-identities-in…

In reply to by tmosley

MillionDollarButter Pure Evil Thu, 09/07/2017 - 19:41 Permalink

Companies that have had a data breach have typically offered identity theft monitoring.  I bought stuff at Target, which is why I had Equifax in the first place.  It was free for a couple of months.  Now Equifux is touting for business with their new "crisis".  They have means, motive, and opportunity.  They should be the primary suspects in this breach.

In reply to by Pure Evil

DC Exile MillionDollarButter Fri, 09/08/2017 - 08:44 Permalink

While the CEO claims there is "no evidence" of real damage, he "apologizes" for consumer "frustration". Clearly Eqifax is speaking carelfully under lawyer advice to avoid a class-action. In any event, this is from Equifax website (one year free indeed lol!): Equifax has established a dedicated website, www.equifaxsecurity2017.com, to help consumers determine if their information has been potentially impacted and to sign up for credit file monitoring and identity theft protection. The offering, called TrustedID Premier, includes 3-Bureau credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; identity theft insurance; and Internet scanning for Social Security numbers – all complimentary to U.S. consumers for one year. The website also provides additional information on steps consumers can take to protect their personal information. Equifax recommends that consumers with additional questions visit www.equifaxsecurity2017.com or contact a dedicated call center at 866-447-7559, which the company set up to assist consumers. The call center is open every day (including weekends) from 7:00 a.m. – 1:00 a.m. Eastern time.

In reply to by MillionDollarButter

Rubicon727 Cthonic Thu, 09/07/2017 - 20:05 Permalink

"They sat on the breach for a month.  Purportedly learned of it on July 27th, the day after they reported earnings??"Unbelievable!! This is the corporation that safeguards all our credit card/ss/driver's license/phone numbers and *THEY HAVE* been breached.I'd say American capitalism is leaning closer to collapse!!!!!I tried phoning that company, BUT "Due to the high calls, either stay on the phone, or leave a message and someone will get back to you." REALLY!!!!!This company should be destroyed immediately!!!!!!!!!!!!! GRRRRR.

In reply to by Cthonic

lincolnsteffens prefan4200 Thu, 09/07/2017 - 20:02 Permalink

The more information is centralized the worse the outcome if it gets zipped up in a zip file and taken. When everything was done on paper this kind of thing never could have happened. Sure, break into an office and steal their files but can you imagine trying to steal this kind of information in paper form? Even if all the same information stolen was on paper in one location it would take days, maybe weeks to load it into who knows how many tractor trailers.Now what, assign everyone new SSNs, credit card #s, birth dates (!!!!), phone #, location???Cluster fuck on the scale of the approaching hurricane.

In reply to by prefan4200

ByTheCross prefan4200 Fri, 09/08/2017 - 03:44 Permalink

It is not possible to have your identity stolen.It is possible that people can steal credentials that make it easier to impersonate you, but even so, the responsibility for establishing your identity lies with the other person, not you - and that includes the responsibility for detecting imposters.The notion that identity can be stolen was created by the banks so they can evade this responsibility, e.g.Joe: "Why do I have a zero balance?"Bank: "You withdrew all your money yesterday."Joe: "Not me!"Bank: "Hmmm. Your identity has been stolen. You'd better report it to the police. I hope you had it insured."Joe: "Oh well, at least I still have my shadow."

In reply to by prefan4200