Equifax Says Cyberattack May Have Affected 143 Million Customers

Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers.

The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cyber security threat for the agency since 2015.

Equifax, based in Atlanta, is a particularly tempting target for hackers. If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.

“This is about as bad as it gets,” said Pamela Dixon, executive director of the World Privacy Forum, a nonprofit research group. “If you have a credit report, chances are you may be in this breach. The chances are much better than 50 percent.”

Criminals gained access to certain files in the company’s system from mid-May to July by exploiting a weak point in website software, according to an investigation by Equifax and security consultants. The company said that it discovered the intrusion on July 29 and has since found no evidence of unauthorized activity on its main consumer or commercial credit reporting databases.

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Other cyberattacks, such as the two breaches that Yahoo announced in 2016, have eclipsed the penetration at Equifax in sheer size, but the Equifax attack is worse in terms of severity. Thieves were able to siphon far more personal information — the keys that unlock consumers’ medical histories, bank accounts and employee accounts.

“On a scale of 1 to 10 in terms of risk to consumers, this is a 10,” said Avivah Litan, a fraud analyst at Gartner.

An F.B.I. spokesperson said the agency was aware of the breach and was tracking the situation.

Last year, identity thieves successfully made off with critical W-2 tax and salary data from an Equifax website. And earlier this year, thieves again stole W-2 tax data from an Equifax subsidiary, TALX, which provides online payroll, tax and human resources services to some of the nation’s largest corporations.

People can go to the Equifax website to see if their information has been compromised. The site encourages customers to offer their last name and the last six digits of their Social Security number. When they do, however, they do not necessarily get confirmation about whether they were affected. Instead, the site provides an enrollment date for its protection service, and it may not start for several days.

The company also suggests getting a free copy of your credit report from the three major credit bureaus: Equifax, Experian and TransUnion. These are available at annualcreditreport.com. It also suggests contacting a law enforcement agency if you believe any stolen information has already been used in some way.

Equifax’s credit protection service, which is free for one year for consumers who enroll by Nov. 21, is available to everyone and not just the victims of the breach.

Equifax is offering consumers the ability to freeze their Equifax credit reports, said John Ulzheimer, a consumer credit expert who often does expert witness work for banks and credit unions and worked at Equifax in the 1990s. Thieves could have information stolen from Equifax and used it to open accounts with creditors that use Experian or TransUnion.

Governments regularly buy stolen personal information on the so-called Dark Web, security experts say. The black market sites where this information is sold are far more exclusive than black markets where stolen credit card data is sold. Interested buyers are even asked to submit to background checks before they are admitted.

“Cyberwar is in large part conducted through data mining and cyberintelligence,” Ms. Litan said. “This is also a Homeland Security risk as enemy nation states build databases of Americans that they then use to get to their targets, for example a network operator at a power grid, or a defense contractor at a missile defense company.”