About 143 million US customers of credit report giant Equifax may have had information compromised in a cyber security breach, the company has disclosed.
Equifax said cyber-criminals accessed data such as Social Security numbers, birth dates and addresses during the incident.
Some UK and Canadian customers were also affected.
The firm’s core consumer and commercial credit databases were not accessed.
Equifax said hackers accessed the information between mid-May and the end of July, when the company discovered the breach.
Malicious hackers won access to its systems by exploiting a “website application vulnerability”, it said but provided no further details.
The hackers accessed credit card numbers for about 209,000 consumers, among other information.
Equifax chief executive Richard Smith said the incident was “disappointing” and “one that strikes at the heart of who we are and what we do”.
“I apologise to consumers and our business customers for the concern and frustration this causes,” said Richard Smith, Equifax chairman and chief executive.
“We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
It said it was working with law enforcement agencies to investigate and had hired a cyber-security firm to analyse what happened. The FBI is also believed to be monitoring the situation.
The company said it would work with regulators in the US, UK and Canada on next steps. It is also offering free credit monitoring and identity theft protection for a year.
Equifax said it had set up a website – www.equifaxsecurity2017.com – through which consumers can check if their data has been caught up in the breach. Many people trying to visit the site reported via social media that they had problems reaching it and that security software flagged it as potentially dangerous.
The UK’s Information Commissioner (ICO) said reports about the data breach and the potential involvement of UK citizens gave it “cause for concern”.
It said it was in contact with Equifax to find out how many British people were affected and the kinds of data that had been compromised.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity,” said the ICO in a statement.
The breach is one of the largest ever reported in the US and, said experts, could have a significant impact on any Americans affected by it.
“On a scale of 1 to 10, this is a 10,” said Avivah Litan, a Gartner analyst who monitors ID theft and fraud. “It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data.”
Security expert Brian Krebs said Equifax was just one of several credit agencies that had been hit by hackers in recent years.
“The credit bureaus have for the most part shown themselves to be terrible stewards of very sensitive data,” wrote Mr Krebs. “and are long overdue for more oversight from regulators and lawmakers.”
Credit rating firm Equifax holds data on more than 820 million consumers as well as information on 91 million businesses.
Recent massive data breaches
- Yahoo one billion records exposed
- 711 million online spambot accounts
- 412 million Friend Finder Networks
- 200 million US voter records