ATLANTA -- Consumer credit reporting agency Equifax announced a "cybersecurity incident" that could impact more than 140 million Americans -- nearly half the population of the United States.
Equifax said the information accessed includes names, credit card numbers, Social Security numbers, birthdates, addresses and, in some instances, driver’s license numbers.
"Criminals exploited a U.S. website application vulnerability to gain access to certain files," the company said in a statement issued Thursday.
The company discovered the breach on July 29 and unauthorized access started in mid-May.
“From an information perspective, companies like Equifax will have enough information to be able to [assume identities] quite easily,” said Mike Weber, vice president, labs, of Westminster-based Coalfire.
The company has engaged with a separate cybersecurity firm to conduct a forensic review of the intrusion and law enforcement officials are currently investigating.
The company will offer free identity theft protection and credit file monitoring to all U.S. consumers.
Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents, according to the statement.
Equifax is considered one of the three largest American credit agencies.
“If you’ve ever done anything financial in your entire life, [Equifax] will have your data,” said Denver-based OWL Cybersecurity vice president Andrew Lewman.