Equifax website hack exposes data for ~143 million US consumers

Equifax, a provider of consumer credit reports, said it experienced a data breach affecting as many as 143 million US people after criminals exploited a vulnerability on its website. The US population is about 324 million people, so that's about 44 percent of its population.

The data exposed in the hack includes names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers. The hackers also accessed credit card numbers for 209,000 US consumers and dispute documents with personal identifying information for about 182,000 US people. Limited personal information for an unknown number of Canadian and UK residents was also exposed. Equifax—which also provides credit monitoring services for people whose personal information is exposed—said the unauthorized access occurred from mid-May through July. Equifax officials discovered the hack on July 29.

"Criminals exploited a US website application vulnerability to gain access to certain files," Equifax said in a statement late Thursday, without elaborating. That leaves open a wide range of possibilities, with injection bugs, faulty authentication mechanisms, and cross-site scripting vulnerabilities topping the list of the most widely exploited website flaws.

This isn't the first time a garden-variety website flaw has been exploited to obtain a massive amount of sensitive data. Associates of Albert Gonzalez, a convicted hacker who was sentenced to 11 years in federal prison, exploited a SQL-injection flaw that helped them obtain data for 130 million credit cards. On Wednesday, exploit code for a nine-year-old code-execution vulnerability in Apache Struts 2—a software framework used by many large financial service websites—went public, but there was no immediate indication that the Equifax site uses it.

This isn't the first time Equifax has been involved in a breach that exposed sensitive consumer data. In 2013, the company confirmed that the personal details for famous people—including US Vice President Joe Biden, FBI Director Robert Mueller, Attorney General Eric Holder, and rap star Jay Z—were exposed on annualcreditreport.com, a site that allows consumers to monitor their credit reports. Lax security on the site allowed people to gain unauthorized access to other people's reports by supplying their previous addresses, mortgages, outstanding loans, and other details that are often widely known.

People who want to know if their data was exposed can enter their last name and the last six digits of their Social Security number on this page. Unfortunately, the responses to those queries are extremely opaque. Another major shortcoming: the site is hosted on a third-party domain that's protected by a TLS certificate that returns wasn't being properly checked for revocation at the time this post was being written. On Thursday, Equifax offered to provide free credit monitoring for people affected by the latest breach.