ATLANTA—Months after hackers gained access to the personal data of millions of American, Canadian and U.K consumers through Equifax’s website, the company disclosed the massive cyberattack to the public.
It added 2.5 million Americans to those affected by the massive security breach of its systems, bringing the total to 145.5 million people who had their personal information accessed or stolen.
Equifax said the company it hired to investigate the breach, Mandiant, has concluded its investigation and plans to release the results “promptly.” The company also said it would update its own notification for people who want to check if they were among those affected by Oct. 8.
The information stolen earlier this year included names, Social Security numbers, birth dates and addresses—the kind of information that could put people at significant risk for identity theft.
It now faces multiple investigations and lawsuits in Canada and south of the border, while its shares have fallen more than 30 per cent in less than two weeks.
Here is a look at how one of the largest cyber attacks in history unfolded and the fall out that followed:
Early March 2017
The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.
May 13 to July 30
Hackers have unauthorized access to Equifax Inc.’s files.
The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax’s online dispute portal web application.
Equifax’s security team observes suspicious network traffic on a U.S. online dispute portal web application. The company’s security team blocks the identified suspicious traffic.
The company says in later communication that it “acted immediately to stop the intrusion.”
The same team observes more suspicious activity and the company takes the affected web application offline.
Equifax contacts cybersecurity firm Mandiant, which spends several weeks conducting a forensic review.
Equifax publicly discloses the cyberattack for the first time, saying it may have compromised the personal data of up to 143 million Americans. The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.
On a website for affected U.S. consumers, Equifax explains that the complex and time-consuming investigation is behind the delay between its discovery of the breach and disclosing it.
“As soon as we had enough information to begin notification, we took appropriate steps to do so,” the company says.
An Ontario resident files a proposed class action in the province, seeking $550 million in damages from Equifax, according to Toronto-based law firm Sotos LLP. It is one of at least two proposed class action lawsuits filed in Canada against the credit monitoring company.
The Federal Trade Commission says it is opening an investigation into the hack.
The chairmen of two congressional committees say in a letter to Equifax CEO Richard Smith that they are investigating the breach and ask for a slew of documents and a company briefing by Sept. 28.
The Office of the Privacy Commissioner of Canada launches investigation into the breach.
Equifax says fewer than 400,000 U.K. consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.
The company says its chief information officer and chief security officer are retiring. Both are replaced with internal employees on an interim basis effective immediately.
Equifax says about 100,000 Canadian consumers may have had their personal information and credit card details compromised in the cyber attack. The breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.
Later that day, Equifax revealed that it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.
The breach involved TALX, which is Equifax’s human resources and payroll service. The company said there’s no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.
Equifax provides an update saying a completed review determined that personal information of approximately 8,000 Canadian consumers was impacted, down from its original estimate of 100,000.
However, it said the review added about 2.5 million Americans to the list of those affected by the massive cyberattack, bringing the total number of people in the U.S. potentially impacted to 145.5 million.