A huge security breach at credit reporting company Equifax has exposed sensitive information, such as Social Security numbers and addresses, of up to 143 million Americans.
Unlike other data breaches, those affected by the breach may not even know they’re customers of the company.
Equifax is one of three nationwide credit-reporting agencies that track and rate the financial history of consumers. The company gets its data from credit card companies, banks, retailers and lenders — sometimes without you knowing.
The data breach is among the worst ever because of the amount of people affected and the sensitive type of information exposed.
How many people were affected?
The company says as many as 143 million people in the United States were hit. Others in the U.K. and Canada were also impacted, but Equifax hasn’t said how many. Credit card numbers for about 209,000 U.S. customers were compromised, in addition to “personal identifying information” on about 182,000 U.S. customers.
Who was impacted?
Equifax said it will send notices in the mail to people whose credit card numbers or dispute records were breached. The company said it found no evidence that consumers in other countries were affected beyond the U.S., U.K. and Canada.
What information was accessed?
The hackers accessed personal information such as names, Social Security numbers, birth dates, addresses, credit card numbers and the numbers of some driver’s licenses.
When did this happen?
Equifax said the breach happened between mid-May and July. It discovered the hack on July 29. It informed the public on September 7.
How did this happen?
Equifax said criminals “exploited a U.S. website application vulnerability to gain access to certain files.” A company spokesperson did not immediately respond to a request for further comment.
Who was behind the breach?
The company hasn’t clarified but noted an investigation is ongoing.
Am I at risk, and what is Equifax doing to help?
Equifax is proposing that customers sign up for credit file monitoring and identity theft protection. It is giving free service for one year through its TrustedID Premier business, regardless of whether you’ve been impacted by the hack.
To enroll and/or check whether you were affected, visit www.equifaxsecurity2017.com and click on the Check Potential Impact tab. You’ll need to provide your last name and the last six digits of your social security number. Once submitted, you will receive a message indicating whether you’ve been affected.
Then, you have the option to enroll in the program, but you can’t actually sign up for the service until next week. Each customer is provided an enrollment date starting earliest on Monday.
Can I sue Equifax?
If you sign up for Equifax’s offer of free identity theft protection and credit file monitoring, you may be limiting your rights to sue and be forced to take disputes to arbitration. But you can opt out of that provision if you notify the company in writing within 30 days. In addition, some attorneys argue that even if you don’t opt out, the arbitration provision does not cover suits related to this breach.
Is anyone investigating the breach?
New York Attorney General Eric Schneiderman launched a formal investigation into the hack on Friday.
Meanwhile, Congressman Ted Lieu, a Democrat from California, sent a letter to House Judiciary Committee Chairman Bob Goodlatte and ranking member John Conyers calling for a hearing to investigate the data breach.
The House Financial Services Committee Chairman Jeb Hensarling, a Republican from Texas, also said his committee will hold a hearing on the breach.
Consumer Financial Protection Bureau is looking into the breach as well
“The CFPB is authorized to take enforcement action against institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws. We are looking into the data breach and Equifax’s response, but cannot comment further at this time,” a spokesperson told CNNMoney.