Joint Strike Fighter plans stolen in Australia cyber attack

Two Lockheed Martin Corp F-35 stealth fighter jets fly to the Avalon Airshow in Victoria, Australia, March 3, 2017. Australian Defence Force/Handout via REUTERS

By Tom Westbrook

SYDNEY (Reuters) – A hacker stole non-classified information about Australia’s Joint Strike Fighter program and other military hardware last year after breaching the network of a defense contractor, the defense industry minister said on Thursday.

About 30 gigabytes of data was stolen in the cyber attack, including details of the Joint Strike Fighter warplane and P-8 Poseidon surveillance plane, according to a presentation on the hack by a government official.

“Fortunately the data that has been taken is commercial data, not military data … it’s not classified information,” Defence Industry Minister Christopher Pyne told Australian Broadcasting Corporation (ABC) Radio.

“I don’t know who did it.”

In a presentation to a conference in Sydney, an official from the Australian Signals Directorate (ASD) intelligence agency said technical information on smart bombs, the Joint Strike Fighter, the Poseidon maritime patrol aircraft and several naval vessels was stolen.

“The compromise was extensive and extreme,” said the official, Mitchell Clarke, in an audio recording made by a ZDNet journalist and broadcast by the ABC.

Clarke said the attacker accessed the small contractor’s systems for five months in 2016, and the “methodical, slow and deliberate,” choice of target suggested a nation-state actor could be behind the raid.

Australia has agreed to buy 72 Lockheed Martin Corp Joint Strike Fighter planes.

A spokesman for the Australian Cyber Security Centre (ACSC), a government agency, said the government would not release further details about the cyber attack.

The ACSC said in a report on Monday that it responded to 734 cyber attacks on “systems of national interest” for the year ended June 30, and the defense industry was a major target.

The attack on the defense contractor was carried out by a “malicious cyber adversary”, it said.

In 2016 the agency said it responded to 1,095 cyber attacks over an 18-month period, including an intrusion from a foreign intelligence service on the weather bureau.

(Reporting by Tom Westbrook; Editing by Stephen Coates)

North Korea hackers stole South Korea-U.S. military plans to wipe out North Korea leadership: lawmaker

The North Korea flag flutters next to concertina wire at the North Korean embassy in Kuala Lumpur, Malaysia March 9, 2017. REUTERS/Edgar Su

By Christine Kim

SEOUL (Reuters) – North Korean hackers stole a large amount of classified military documents, including South Korea-U.S. wartime operational plans to wipe out the North Korean leadership, a South Korean ruling party lawmaker said on Wednesday.

Democratic Party representative Rhee Cheol-hee said 235 gigabytes of military documents were taken from the Defense Integrated Data Center in September last year, citing information from unidentified South Korean defense officials.

An investigative team inside the defense ministry announced in May the hack had been carried out by North Korea, but did not disclose what kind of information had been taken.

Pyongyang has denied responsibility in its state media for the cyber attacks, criticizing Seoul for “fabricating” claims about online attacks.

Separately on Wednesday, cyber security firm FireEye said in a statement North Korea-affiliated agents were detected attempting to phish U.S. electric companies through emails sent in mid-September, although those attempts did not lead to a disruption in the power supply.

It did not specify when the attempts had been detected or clarify which companies had been affected.

Rhee, currently a member of the National Assembly’s committee for national defense, said about 80 percent of the hacked data had not yet been identified, but that none of the information was expected to have compromised the South Korean military because it was not top classified intelligence.

Some of the hacked data addressed how to identify movements of members of the North Korean leadership, how to seal off their hiding locations, and attack from the air before eliminating them.

Rhee said the North could not have taken the entire operation plans from the database because they had not been uploaded in full.

These plans had likely not been classified properly but defense ministry officials told Rhee the hacked documents were not of top importance, he said.

“Whatever the North Koreans took, we just need to fix the plans,” Rhee later told Reuters by telephone. “I disclosed this because the military hasn’t been doing that fast enough.”

SIMPLE MISTAKE

Rhee said on radio the hack had been made possible by “a simple mistake” after a connector jack linking the military’s intranet to the internet had not been eliminated after maintenance work had been done on the system.

The South Korean Defense Ministry’s official stance is that they cannot confirm anything the lawmaker said about the hacked content due to the sensitivity of the matter.

In Washington, the Pentagon said it was aware of the media reports but would not comment on the potential breach.

“Although I will not comment on intelligence matters or specific incidents related to cyber intrusion, I can assure you that we are confident in the security of our operations plans and our ability to deal with any threat from North Korea,” Pentagon spokesman Colonel Robert Manning told reporters.

FireEye said the phishing attack on the electric companies detected was “early-stage reconnaissance” and did not indicate North Korea was about to stage an “imminent, disruptive” cyber attack. The North has been suspected of carrying out similar cyber attacks on South Korean electric utilities, in addition to other government and financial institutions.

Those attempts were likely aimed at creating a means of “deterring potential war or sowing disorder during a time of armed conflict”, FireEye said.

“North Korea linked hackers are among the most prolific nation-state threats, targeting not only the U.S. and South Korea but the global financial system and nations worldwide,” its statement said.

“Their motivations vary from economic enrichment to traditional espionage to sabotage, but all share the hallmark of an ascendant cyber power willing to violate international norms with little regard for potential blowback,” it said.

(Reporting by Christine Kim in SEOUL and Ishita Chigilli Palli in Bengaluru; Additional reporting by Idrees Ali in Washington; Editing by James Dalgleish, Michael Perry and Paul Tait)

Exclusive: SEC’s corporate filing system vulnerable to denial of service attacks – memo

FILE PHOTO: The seal of the U.S. Securities and Exchange Commission hangs on the wall at SEC headquarters in Washington, DC, U.S. on June 24, 2011. REUTERS/Jonathan Ernst/File Photo

By Sarah N. Lynch and Jim Finkle

(Reuters) – The U.S. Securities and Exchange Commission (SEC), Wall Street’s top regulator, has discovered a vulnerability in its corporate filing database that could cause the system to collapse, according to an internal document seen by Reuters.

The SEC’s September 22 memo reveals that its EDGAR database, containing financial reports from U.S. public companies and mutual funds, could be at risk of “denial of service” attacks, a type of cyber intrusion that floods a network, overwhelming it and forcing it to close.

The discovery came when the SEC was testing EDGAR’s ability to absorb monthly and annual financial filings that will be required under new rules adopted last year for the $18 trillion mutual fund industry.

The memo shows that even an unintentional error by a company, and not just hackers with malicious intentions, could bring the system down. Even the submission of a large “invalid” form could overwhelm the system’s memory.

The defect comes after the SEC’s admission last month that hackers breached the EDGAR database in 2016.

The discovery will likely add to concerns about the vulnerability of the SEC’s network and whether the agency has been adequately addressing cyber threats.

The mutual fund industry has long had concerns that market-sensitive data required in the new rules could be exploited if it got into the wrong hands.

The industry has since redoubled its calls for SEC Chairman Jay Clayton to delay the data-reporting rules, set to go into effect in June next year, until it is reassured the information will be secure.

“Clearly, the SEC should postpone implementation of its data reporting rule until the security of those systems is thoroughly tested and assessed by independent third parties,” said Mike McNamee, chief public communications officer of The Investment Company Institute (ICI), whose members manage $20 trillion worth of assets in the United States.

“We are confident Chairman Clayton will live up to his pledge that the SEC will take whatever steps are necessary to ensure the security of its systems and the data it collects.”

An SEC spokesman declined to comment.

The rules adopted last year requiring asset managers to file monthly and annual reports about their portfolio holdings were designed to protect them in the event of a market crisis by showing the SEC and investors that they have enough liquidity to cover a rush of redemptions.

During a Congressional hearing on Wednesday, Clayton testified that the agency was considering whether to delay the rules in light of the cyber concerns. He did not, however, mention anything about the denial of service attack vulnerability.

VIRTUAL VOMIT

EDGAR is the repository for corporate America, housing millions of filings ranging from quarterly earnings to statements on acquisitions.

It is a virtual treasure trove for cyber criminals who could trade on any information gleaned before it is publicly released.

In the hack disclosed last month involving EDGAR, the SEC has said it now believes the criminals may have stolen non-public data for illicit trading.

The vulnerability revealed in the September memo shows that even an invalid form could jam up EDGAR.

The system did not immediately reject the form, the memo says. Rather, “it was being validated for hours before failing due to an invalid form type.”

That conclusion could spell trouble for the SEC’s EDGAR database because it means that if hackers wanted to, they could “basically take down the whole EDGAR system” by submitting a malicious data file, said one cyber security expert with experience securing networks of financial regulators who reviewed the letter for Reuters.

“The system would consume the data and essentially throw up on itself,” the person added.

(Reporting by Sarah N. Lynch in Washington and Jim Finkle in Toronto; Editing by Carmel Crimmins)

Rising hacker threat will trigger boom in cyber crime insurance, Tryg says

People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

COPENHAGEN (Reuters) – Insurer Tryg <TRYG.CO> expects 90 percent of its corporate customers to buy cyber crime insurance within five years as the threat from hackers and viruses to crucial data and IT systems grows.

Tryg, Denmark’s biggest insurer, has sold 5,000 cyber crime insurance policies since the turn of the year when it launched a new product providing assistance in restoring data and getting systems up and running if a firm is hit by a cyber attack.

“There are no corporate clients today that don’t have insurance on their buildings or cars, but I think that within a very few years it will be just as evident that you should insure against cyber crime,” chief executive Morten Hubbe told Reuters on Wednesday.

The initial rise in demand for cyber insurance was prompted by the ransomware attack, named “Wannacry”, that infected more than 300,000 computers worldwide in May.

He estimated that around 50 percent of the firm’s corporate clients would buy such an insurance by 2020 and from that point it would only take “a couple of years” to reach 90 percent.

Tryg’s two business segments for small and medium size businesses and larger corporate customers accounts for 44 percent of the group’s total premium income.

“The biggest risk to us is that significantly more customers get hit than we believe and that it gives us a huge economic loss,” said Hubbe.

While the firm has good insight into how often a house burns down or a bicycle is stolen on average, the frequency and extent of cyber crimes is hard to predict.

Tryg will also offer extensions to the basic insurance that cover consequential losses, back-up of data and a so-called DNS box aimed at blocking web pages known to contain viruses and malware.

For the big industrial players, Tryg would look to cooperate with global reinsurers to spread the risk when big companies lose revenues in connection with cyber attacks.

The world’s biggest container shipping firm Maersk Line <MAERSKb.CO> saw a $2-300 million bill from a June cyber attack that disrupted its operations for weeks.

(Reporting by Stine Jacobsen; editing by Ken Ferris)

Yahoo says all three billion accounts hacked in 2013 data theft

Yahoo says all three billion accounts hacked in 2013 data theft

By Jonathan Stempel and Jim Finkle

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc <VZ.N>.

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc <EFX.N> and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

(Reporting by Munsif Vengattil, Jim Finkle, Jim Christie, Jon Stempel, and David Shepardson; writing by Stephen Nellis in San Francisco; Editing by Andrew Hay and Lisa Shumaker)

Security firm finds some Macs vulnerable to ‘firmware’ attacks

FILE PHOTO: Apple CEO Tim Cook speaks under a graphic of the new MacBook Pro during an Apple media event in Cupertino, California, U.S. October 27, 2016. REUTERS/Beck Diefenbach

By Stephen Nellis

(Reuters) – Since 2015, Apple Inc <AAPL.O> has tried to protect its Mac line of computers from a form of hacking that is extremely hard to detect, but it has not been entirely successful in getting the fixes to its customers, according to research released on Friday by Duo Security.

Duo examined what is known as firmware in the Mac computers. Firmware is an in-built kind of software that is even more basic than an operating system like Microsoft Windows or macOS.

When a computer is first powered on — before the operating system has even booted up — firmware checks to make sure that basic components like a hard disk and processor are present and tells them what to do. That makes malicious code hiding in it hard to spot.

In most cases, firmware is a hassle to update with the latest security patches. Updates have to be carried out separately from the operating system updates that are more commonplace.

In 2015, Apple started bundling firmware updates along with operating system updates for Mac machines in an effort to ensure firmware on them stayed up to date.

But Duo surveyed 73,000 Mac computers operating in the real world and found that 4.2 percent of them were not running the firmware they should have been based on their operating system. In some models – such as the 21.5-inch iMac released in late 2015 – 43 percent of machines had out-of-date firmware.

That left many Macs open to hacks like the “Thunderstrike” attack, where hackers can control a Mac after plugging an Ethernet adapter into the machine’s so-called thunderbolt port.

Paradoxically, it was only possible to find the potentially vulnerable machines because Apple is the only computer maker that has sought to make firmware updates part of its regular software updates, making it both more trackable and the best in the industry for firmware updates, Rich Smith, director of research and development at Duo, told Reuters in an interview.

Duo said that it had informed Apple of its findings before making them public on Friday. In a statement, Apple said it was aware of the issue and is moving to address it.

“Apple continues to work diligently in the area of firmware security, and we’re always exploring ways to make our systems even more secure,” the company said in a statement. “In order to provide a safer and more secure experience in this area, macOS High Sierra automatically validates Mac firmware weekly.”

(Reporting by Stephen Nellis; Editing by Leslie Adler)

Equifax apologizes as U.S. watchdog calls for more oversight

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

By John McCrank

(Reuters) – Equifax Inc promised to make it easier for consumers to control access to their credit records in the wake of the company’s massive breach after the top U.S. consumer financial watchdog called on the industry to introduce such a system.

Equifax’s interim chief executive officer, Paulino do Rego Barros Jr., vowed to introduce a free service by Jan. 31 that will let consumers control access to their own credit records.

Barros, who was named interim CEO on Tuesday as Richard Smith stepped down from the post amid mounting criticism over the handling of the cyber attack, also apologized for providing inadequate support to consumers seeking information after the breach was disclosed on Sept. 7. He promised to add call-center representatives and bolster a breach-response website.

“I have heard the frustration and fear. I know we have to do a better job of helping you,” Barros said in a statement published in The Wall Street Journal.

Equifax announced the free credit freeze service after the Consumer Financial Protection Bureau’s (CFPB) director, Richard Cordray, told CNBC earlier in the day that the agency would beef up oversight of Equifax and its rivals.

“The old days of just doing what they want and being subject to lawsuits now and then are over,” Cordray said.

He also called for implementing a scheme of preventive credit monitoring.

“They are going to have to accept that. They are going to have to welcome it. They are going to have to be very forthcoming,” Cordray said.

The Equifax hack compromised sensitive data of up to 143 million Americans and prompted investigations by lawmakers and regulators, including the New York Department of Financial Services (DFS), which issued a subpoena to Equifax demanding more information about the breach.

Federal laws give the CFPB the power to supervise and examine large credit-reporting firms to ensure the quality of information they provide. In January, the CFPB fined TransUnion and Equifax $5.5 million in total for deceiving customers about the usefulness and cost of their credit scores.

Cordray called for expanded powers to cover data security to prevent breaches and suggested placing monitors inside credit reporting firms, borrowing a tactic from the regulatory regime for banks.

The CFPB is working with the Federal Trade Commission and New York’s DFS on a new regulatory framework, Cordray said. He also called for Congress to tighten oversight of the industry.

TransUnion said in a statement that it had “long been subject to regulatory oversight from state and federal regulators including the CFPB.”

Experian did not respond to requests for comment.

(Reporting by John McCrank in New York; Additional reporting by Lisa Lambert in Washington and Jim Finkle in Toronto; Writing by Michelle Price; Editing by Tom Brown and Leslie Adler)

Exclusive: U.S. Homeland Security found SEC had ‘critical’ cyber weaknesses in January

The U.S. Securities and Exchange Commission logo adorns an office door at the SEC headquarters in Washington, June 24, 2011.

By Sarah N. Lynch

WASHINGTON (Reuters) – The U.S. Department of Homeland Security detected five “critical” cyber security weaknesses on the Securities and Exchange Commission’s computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.

The report’s findings raise fresh questions about a 2016 cyber breach into the SEC’s corporate filing system known as “EDGAR.” SEC Chairman Jay Clayton disclosed late Wednesday night that the agency learned in August 2017 that hackers may have exploited the 2016 incident for illegal insider-trading.

The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most “critical” vulnerabilities.

It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC in 2016.

But it shows that even after the SEC says it patched “promptly” the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator’s systems.

An SEC spokesman did not have any immediate comment on the report’s findings.

It is unclear if any of those critical vulnerabilities still pose a threat.

(This version of the story was refiled to correct day of the week in paragraph 2)

 

(Reporting by Sarah N. Lynch; Editing by Nick Zieminski)

 

Equifax two top technology executives leave company ‘effective immediately’

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell

By Dustin Volz and Diane Bartz

WASHINGTON (Reuters) – Equifax said on Friday that it made changes in its top management as part of its review of a massive data breach, with two technology and security executives leaving the company “effective immediately.”

The credit-monitoring company announced the changes in a press release that gave its most detailed public response to date of the discovery of the data breach on July 29 and the actions it has since taken.

The statement came on a day when Equifax’s share price continued to slide following a week of relentless criticism over its response to the data breach,

Lawmakers, regulators and consumers have complained that Equifax’s response to the breach, which exposed sensitive data like Social Security numbers of up to 143 million people, had been slow, inadequate and confusing.

Equifax on Friday said that Susan Mauldin, chief security officer, and David Webb, chief information officer, were retiring.

The company named Mark Rohrwasser as interim chief information office and Russ Ayres as interim chief security officer, saying in its statement, “The personnel changes are effective immediately.”

Rohrwasser has led the company’s international IT operations, and Ayres was a vice president in the IT organization.

The company also confirmed that Mandiant, the threat intelligence arm of the cyber firm FireEye, has been brought on to help investigate the breach. It said Mandiant was brought in on Aug. 2 after Equifax’s security team initially observed “suspicious network traffic” on July 29.

The company has hired public relations companies DJE Holdings and McGinn and Company to manage its response to the hack, PR Week reported. Equifax and the two PR firms declined to comment on the report.

Equifax’s share prices has fallen by more than a third since the company disclosed the hack on Sept. 7. Shares shed 3.8 percent on Friday to close at $92.98.

U.S. Senator Elizabeth Warren, who has built a reputation as a fierce consumer champion, kicked off a new round of attacks on Equifax on Friday by introducing a bill along with 11 other senators to allow consumers to freeze their credit for free. A credit freeze prevents thieves from applying for a loan using another person’s information.

Warren also signaled in a letter to the Consumer Financial Protection Bureau, the agency she helped create in the wake of the 2007-2009 financial crisis, that it may require extra powers to ensure closer federal oversight of credit reporting agencies.

Warren also wrote letters to Equifax and rival credit monitoring agencies TransUnion and Experian, federal regulators and the Government Accountability Office to see if new federal legislation was needed to protect consumers.

Connecticut Attorney General George Jepsen and more than 30 others in a state group investigating the breach acknowledged that Equifax has agreed to give free credit monitoring to hack victims but pressed the company to stop collecting any money to monitor or freeze credit.

“Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair,” Jepsen said.

Also on Friday, the chairman and ranking member of the Senate subcommittee on Social Security urged Social Security Administration to consider nullifying its contract with Equifax and consider making the company ineligible for future government contracts.

The two senators, Republican Bill Cassidy and Democrat Sherrod Brown, said they were concerned that personal information maintained by the Social Security Administration may also be at risk because the agency worked with Equifax to build its E-Authentication security platform.

Equifax has reported that for 2016, state and federal governments accounted for 5 percent of its total revenue of $3.1 billion.

400,000 BRITONS AFFECTED

Equifax, which disclosed the breach more than a month after it learned of it on July 29, said at the time that thieves may have stolen the personal information of 143 million Americans in one of the largest hacks ever.

The problem is not restricted to the United States.

Equifax said on Friday that data on up to 400,000 Britons was stolen in the hack because it was stored in the United States. The data included names, email addresses and telephone numbers but not street addresses or financial data, Equifax said.

Canada’s privacy commissioner said on Friday that it has launched an investigation into the data breach. Equifax is still working to determine the number of Canadians affected, the Office of the Privacy Commissioner of Canada said in a statement.

(Reporting by Dustin Volz and Diane Bartz; Additional reporting by Chris Sanders, Michelle Price and Jim Finkle; Editing by Chris Reese and Leslie Adler)

Equifax reveals hack that likely exposed data of 143 million customers

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski/File Photo

By Yashaswini Swamynathan

(Reuters) – Equifax Inc, a provider of consumer credit scores, said on Thursday that personal details of as many as 143 million U.S. consumers were accessed by hackers between mid-May and July, in what could be one of the largest data breaches in the United States.

The company’s shares fell nearly 19 percent in after-market trading as investors reacted to possible consequences of the exposure of sensitive data of nearly half of the U.S. population.

Atlanta-based Equifax said in a statement that it discovered the breach on July 29. It said criminals exploited a U.S. website application vulnerability to gain access to certain files that included names, Social Security numbers and driver’s license numbers.

In addition, credit card numbers of around 209,000 U.S. consumers and certain dispute documents with personal identifying information of around 182,000 U.S. consumers were accessed. Information of some UK and Canadian residents was also gained in the hack, Equifax said.

Equifax said in its statement that it was working with law enforcement agencies and has hired a cyber-security firm to investigate the breach. It said its investigation is “substantially complete,” and expects it will be completed in the coming weeks.

The company declined to comment beyond its statement.

The Federal Bureau of Investigation is tracking the situation, a spokeswoman for the agency said.

U.S. Senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence, said in a statement that it would not be an “exaggeration to suggest that a breach such as this represents a real threat to the economic security of Americans.”

Equifax’s breach follows rival Experian Plc’s breach two years ago that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc (http://reut.rs/2f8ES9k)

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in a statement, adding that the company is conducting “a thorough review of our overall security operations.”

LIKELIHOOD FOR PHISHING SEEN HIGH

Cybersecurity experts said the breach was very serious.

“On a scale of 1 to 10, this is a 10. It affects the whole credit reporting system in the United States because nobody can recover it, everyone uses the same data,” said Avivah Litan, a Gartner Inc analyst who tracks identity theft and fraud.

Equifax handles data on more than 820 million consumers and more than 91 million businesses worldwide and manages a database with employee information from more than 7,100 employers, according to its website.

Ryan Kalember, senior vice president of cyber security firm Proofpoint, said the hack was “especially troubling” because companies typically offer free credit monitoring services from firms such as Equifax, which has now itself suffered a huge cyber attack.

“The information is very personal – the likelihood that it could be used for phishing is very high,” said Matt Tait, a former analyst at the British intelligence service GCHQ and a cyber security researcher.

Equifax said consumers could check if their information had been impacted at, www.equifaxsecurity2017.com.

Representative Maxine Waters, a member of the House of Representatives Financial Services Committee, said in a statement that she would reintroduce legislation to “enhance consumer protection tools available to minimize harm caused by identity theft.”

Three days after Equifax discovered the breach, three top Equifax executives, including Chief Financial Officer John Gamble and a president of a unit, sold Equifax shares or exercised options to dispose off stock worth about $17.8 million, regulatory filings show. It was not clear whether these transactions were part of a pre-arranged sales plan.

Equifax said in a statement that the executives were not aware that an intrusion had occurred when they sold their shares.

(Reporting by Yashaswini Swamynathan in Bengaluru; Additional reporting by Laharee Chatterjee in Bengaluru and Siddharth Cavale and Dustin Volz in Washington; Editing by Leslie Adler)