The credit reporting agency Equifax has admitted that hackers have stolen the personal data of nearly half the US population. Customers in the UK and Canada were also affected by the breach in July.
Equifax said on Thursday it "acted immediately" with the help of a cybersecurity firm after learning of the security breach on July 29. But the Atlanta-based credit scoring agency didn't explain why it waited more than a month to go public and warn about the risk to its clients of identity theft.
As many as 143 million US consumers were affected along with clients in the UK and Canada.
Credit card numbers stolen
The company said that names, social security numbers, birth dates, addresses and driver's license numbers were stolen from the company's database. It said some 209,000 US customers had their credit card numbers compromised, while credit dispute documents for some 182,000 people were also accessed.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," said company chairman and chief executive Richard Smith.
"I apologize to consumers and our business customers for the concern and frustration this causes."
Equifax collects information about the public and businesses. Its credit ratings are used to decide whether loans and other financial products get approved. Ironically, it has touted itself as offering protection against identity theft.
The hack attack took place between mid-May and July, according to a statement from the company. The credit scoring firm said it has reported the breach to the FBI and was carrying out its own internal investigation. It said staff would work with authorities in Canada and the UK to inform customers in those countries.
Equifax said it had set up a website to help customers determine whether their personal details were compromised.
Executives sold stock
The company's shares fell nearly 19 percent in after-hours trading as investors reacted to the news, along with revelations that three Equifax executives sold shares in the company just days after the firm learned of the breach.
Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran sold some $1.8 million in stock.
But the firm told the AFP news agency that the executives "had no knowledge that an intrusion had occurred at the time they sold their shares."
Two years ago its rival Experian experienced a similar attack that saw around 15 million new customers of T-Mobile affected.
Other large US companies have seen major hack attacks, including Yahoo which disclosed last year that as many as billion accounts had been exposed to hackers.
mm/ng (AFP, AP, Reuters)