Credit reporting firm Equifax reported on Thursday a breach in which cyber criminals gained access to personal information on as many as 143 million U.S. consumers.
The firm said the “cybersecurity incident” resulted in hackers accessing names, Social Security numbers, birth dates and other personal information on as many as 143 million consumers. The U.S. population is estimated to be around 324 million, according to the Census Bureau.
Thousands also had their credit card numbers and dispute documents accessed.
Equifax said in a statement that hackers “exploited a U.S. website application vulnerability” to gain unauthorized access to the files between mid-May and July. However, the company’s investigation has turned up “no evidence” that hackers accessed the company’s core consumer or commercial credit reporting databases.
In addition to the U.S. consumers affected, the company also discovered that some residents in the U.K. and Canada had their personal information accessed.
Equifax is offering free identity theft protection and credit file monitoring to U.S. consumers. The company has also set up a website specifically designated to help consumers determine if their information was caught up in the breach. The company plans to notify by mail those who had their personal identifying information accessed.
Sen. Mark Warner (D-Va.), the chairman of the Senate Intelligence Committee, called the data breach “profoundly troubling.”
Warner said the scope of the breach “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies, so that enterprises such as Equifax have fewer incentives to collect large, centralized sets of highly sensitive data like SSNs and credit card information on millions of Americans.”
“It is no exaggeration to suggest that a breach such as this – exposing highly sensitive personal and financial information central for identity management and access to credit– represents a real threat to the economic security of Americans,” he added.
Equifax says it discovered the breach on July 29 and has been working with a private cybersecurity firm as well as law enforcement to investigate the breach.
Richard Smith, the company’s chairman and chief executive officer, described the incident as “disappointing” and apologized to customers.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations,” Smith said. “We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”
Equifax Inc. is a global consumer credit reporting agency based in Atlanta and is one of the largest credit bureaus in the United States.
Updated: 8:30 p.m.