A massive cyber security incident at Equifax — one of the largest credit reporting agencies in the United States — may have exposed private information belonging to 143 million people — nearly half of the U.S. population.
The breach, which was discovered July 29, includes sensitive information such as social security numbers, birthdays, addresses, and in some instances, driver's license numbers. The agency said 209,000 credit card numbers were exposed in the breach, which includes customers in Canada and the United Kingdom.
Adding to the scandal, three of the company's top executives sold Equifax shares just days after the breach was discovered. The breach was not publicly disclosed until Thursday, more than six weeks later.
John Gamble, chief financial officer; Joseph Loughran, president of U.S. information security; and Rodolfo Ploder, president of workforce solutions solutions, all sold shares days after the company was aware of the breach, according to SEC filings. Bloomberg, which first reported this, estimated the total value of shares sold to be $1.8 million.
An Equifax representative told NBC News the three executives sold a "small percentage" of their shares and "had no knowledge that an intrusion had occurred at the time they sold their shares."
The FBI is actively investigating the cyber incident and Equifax has been cooperating, law enforcement sources told NBC News.
The irony: Equifax is the agency many people use to guard against identity theft and one that businesses turn to when verifying a person is who they say they are. Now, with the private information in the hands of cyber thieves, customers are being placed in a difficult position.
"Equifax is tasked with actually protecting this information in the form of identity theft protection and here we are with almost half of the country's population being affected," Robert Siciliano, CEO of IDTheftSecurity.com, told NBC News.
Richard Smith, chairman and CEO of Equifax, apologized to "consumers and our business customers for the concern and frustration this causes.”
“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," said Smith.
In a statement, Equifax said the cyber security breach was discovered on July 29. Since then, the company has been working with an independent security firm to understand what happened and how they can better protect themselves in the future.
Were You Affected?
Even if you don't think you're a customer of Equifax, there's a strong possibility they still have your data. As a credit reporting agency, Equifax gets information from credit card companies, banks, lenders, and retailers to help it determine a person's credit score.
Want to see if you might be affected? Equifax will let you check your potential impact by typing in your last name and the last six digits of your Social Security number. All U.S. customers will also be given a date when they can sign up for TrustedID Premier, which includes identity theft insurance, credit reports and a service that crawls the internet and alerts you if your Social Security number is posted somewhere online.
Equifax has set up a dedicated website and phone number for concerned customers to call with questions. In addition, the company said it will mail notices to people who may have had their credit card numbers or personally identifying information exposed on dispute documents.
The bottom line here, Siciliano said, is to pay close attention to your credit card statements. With more than 200,000 credit card numbers exposed, he said extra vigilance is vital.
"The best thing a consumer can do in response is to engage in what's called a credit freeze," he said. "This essentially locks down your Social Security number on your credit report, preventing criminals from opening new lines of credit under your name."
You'll need to call the three major credit reporting agencies to ask for a freeze. The Federal Trade Commission lists more details on how to do that here.