Credit monitor Equifax said Thursday that hackers have gained access to personal information belonging to 143 million U.S. consumers after exploiting a vulnerability on the company's website. Now the unwitting victims have to worry about the threat of having their identities stolen.
The high-tech heist occurred between mid-May and July, according to Equifax (EFX), one of the nation's biggest credit bureaus. The leaked information includes names, Social Security numbers, birth dates and in some cases driver's license numbers.
CBS News has confirmed the FBI is looking into the breach.
Credit card numbers for about 209,000 consumers and documents related to credit reporting disputes for 182,000 people also were exposed, Equifax said, adding that hackers also accessed some information from British and Canadian consumers. The company doesn't think residents of other countries were affected.
"The motives for hacking can be very different with each incident, but tend to be concentrated on disruption or financial gain," said Kris Monaco, managing partner at Level ETF Ventures. "Credit card and personal data are the lifeblood of every hacking scheme, so criminals were obviously focusing on a rich target like Equifax."
Equifax said it found no evidence of unauthorized activity on the company's core consumer or commercial credit reporting databases. It discovered the intrusion on July 29 and acted immediately to stop it, the company said.
Equifax also said it alerted law enforcement about the cyberattack. And it has set up a special website where people can check to see if their personal information may have been stolen. Consumers can also call 866-447-7559 for more information.
Personal finance experts warned consumers who may have been affected by the hack to be on their guard.
"When breaches like these happen, consumers need to be diligent -- and not just in the short term," said Matt Schulz, senior industry analyst with CreditCards.com. "Just because nothing looks amiss on your bank statements or your credit report now, that doesn't mean you haven't been compromised. Bad guys can be very patient, so it's important to keep an eye out long after this story fades from the headlines."
The biggest hack in U.S. corporate history happened to Yahoo, which saw data for more than 1 billion usersin 2013 and 2014. But the Equifax breach could end up being more damaging for consumers because no Social Security numbers or drivers' license information were stolen in the Yahoo hack.
"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan of the Equifax news. "Credit bureaus keep so much data about us that affects almost everything we do."
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.
While Equifax said it discovered the hack at the end of July, it waited until Thursday to warn consumers. The Atlanta-based company declined to comment on that delay or anything else beyond its published statement. It's not unusual for U.S. authorities to ask a company hit in a major hack to delay public notice so that investigators can pursue the perpetrators.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax CEO Richard Smith said in a statement. "I apologize to consumers and our business customers for the concern and frustration this causes."
Equifax's security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person's identity in the U.S. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people .
Any data breach threatens to tarnish a company's reputation, but it is especially mortifying for Equifax, whose entire business revolves around providing a clear financial profile of consumers that lenders and other businesses can trust.
"This really undermines their credibility," Litan said. It also could undermine the integrity of the information stockpiled by two other major credit bureaus, Experian and TransUnion, since they hold virtually all the data that Equifax does, Litan said.
Equifax's stock dropped 13 percent to $124.10 in extended trading after its announcement of the breach.
"It will take months or years for Equifax to recover -- from both the impact on its stock and on consumers' trust -- and no doubt they'll be learning from this for years," said Ray Rothrock, CEO of security software company RedSeal.
Three Equifax executives insulated themselves from that downturn by selling shares worth a combined $1.8 million just a few days after the company discovered it had been hacked, according to documents filed with securities regulators.
The sales, executed on August 1 and August 2, were made by: John Gamble, Equifax's chief financial officer; Rodolfo Ploder, Equifax's president of workforce solutions; and Joseph Loughran, Equifax's president of U.S. information solutions. Bloomberg News first reported the divestitures.
The potential aftershocks of the Equifax breach should make it clear that Social Security numbers are becoming an unreliable way to verify a person's identity, Nathaniel Gleicher, the former director of cybersecurity policy in the White House during the Obama administration, said in an email statement.
"This breach might just have put the nail in the coffin of the idea that we can use personal identifiers like Social Security numbers as security factors," wrote Gleicher, who now oversees cybersecurity strategy for computer security firm Illumio.
The Associated Press contributed to this report.