More info from Equifax's FAQ about the incident:
What happened?We identified a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. We discovered the unauthorized access and acted immediately to stop the intrusion. We promptly engaged a leading, independent cybersecurity firm that has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. We also reported the criminal access to law enforcement and continue to work with authorities.
When did the company learn of this incident?We learned of the incident on July 29, 2017, and acted immediately to stop the intrusion and conduct a forensic review.
Over what period of time did the unauthorized access occur?Based on our investigation, the unauthorized access occurred from mid-May through July 2017.
Who and how many people are affected?This incident potentially impacts approximately 143 million U.S. consumers. We have established a dedicated website,
www.equifaxsecurity2017.com, to help U.S. consumers determine if their information has been potentially impacted. As part of our investigation of this application vulnerability, we also identified unauthorized access to limited personal information for certain UK and Canadian residents. We will work with UK and Canadian regulators to determine appropriate next steps.
What information may have been impacted?The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Criminals also accessed credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers. As part of our investigation of this application vulnerability, we also identified unauthorized access to limited personal information for certain UK and Canadian residents. We have found no evidence that personal information of consumers in any other country has been impacted.
Are Equifax’s core consumer or commercial credit reporting databases impacted?We have found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.
Is the issue contained?Yes, this issue has been contained.
What was the vulnerability?Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.
What are you doing to prevent this from happening again?We have engaged a leading, independent cybersecurity firm to conduct an assessment and provide recommendations on steps that can be taken to help prevent this type of incident from happening again.
What steps should I immediately take?To determine if your personal information may have been impacted and for steps to protect your information, please visit
www.equifaxsecurity2017.com. We recommend that consumers be vigilant in reviewing their account statements and credit reports, and that they immediately report any unauthorized activity to their financial institutions. We also recommend that they monitor their personal information and visit the Federal Trade Commission’s website,
www.ftc.gov/idtheft, to obtain information about steps they can take to better protect against identity theft as well as information about fraud alerts and security freezes.
Why am I learning about this incident through the media? Why didn’t Equifax notify me directly?Equifax issued a national press release in order to notify U.S. consumers of this incident and has established a website,
www.equifaxsecurity2017.com, where U.S. consumers can receive further information.
Why was there a delay between when the incident was discovered and the public was notified?As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.