WASHINGTON — Criminal hackers acquired access to sensitive personal data — including Social Security numbers and birthdates — of 143 million Americans by penetrating a Web-based application for Equifax, the credit reporting agency said Thursday.
The breach, which the company said began in May, was discovered in July. Though Equifax said in a statement a ‘‘core database’’ was not penetrated, attackers gained access to a wide range of data for what appears to be a majority of American adults and some foreign users.
Social Security numbers and birthdates are particularly sensitive data, giving those who possess them the ingredients for identity fraud and other crimes. Equifax said that it also lost control of an unspecified number of driver’s licenses along with the credit card numbers for 209,000 consumers and credit dispute documents for 182,000 others.
‘‘In addition to the number [of victims] being really large, the type of information that has been exposed is really sensitive,’’ said Beth Givens, executive director of the Privacy Rights Clearinghouse, a consumer advocacy group based in San Diego. ‘‘All in all, this has the potential to be a very harmful breach to those who are affected by it.’’
Equifax said it was alerting those who were affected by mail. It also set up a website, www.equifaxsecurity2017.com, to help consumers understand the breach and check whether they were affected. The company is offering one year of free credit monitoring and identity theft protection to anyone who may have been affected.
‘‘This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes,’’ chief executive Richard Smith said in a statement published on the company’s website. ‘‘We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.’’
The company did not immediately respond to queries about what Web application was hacked nor why it waited six weeks to alert consumers about the breach.
Companies often do not immediately alerted affected people to cybersecurity incidents, prompting periodic calls from state and federal legislators for new laws to require more rapid and complete disclosures.
Equifax discovered the hack July 29, but waited until Thursday to warn consumers.
This isn’t the biggest data breach in history. That indignity belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users’ accounts throughout the world.
But no Social Security numbers or driver’s license numbers were taken in that break-in.
Equifax’s security lapse could be the largest involving the theft of Social Security numbers. It eclipses a 2015 hack at health insurer Anthem Inc. that involved the Social Security numbers of about 80 million people.
Bloomberg News reported that three Equifax Inc. senior executives sold shares worth almost $1.8 million three days after the company discovered the security breach.
Regulatory filings show that chief financial officer John Gamble sold shares worth $946,374 and Joseph Loughran, president of US information solutions, exercised options to dispose of stock worth $584,099. Rodolfo Ploder, president of workforce solutions, sold $250,458 of stock on Aug. 2. None of the filings lists the transactions as being part of 10b5-1 pre-scheduled trading plans.
Material from the Associated Press was used in this report.