Equifax has revealed that about 143 million US customers may have had information compromised in a cyber security breach.
The credit report giant said cyber-criminals accessed data such as Social Security numbers, birth dates and addresses during the incident.
Some UK and Canadian customers were also affected.
Equifax’s core consumer and commercial credit databases were not accessed.
The company said hackers accessed the information between mid-May and the end of July, when it discovered the breach.
Malicious hackers won access to the company’s systems by exploiting a “website application vulnerability”, it said but provided no further details.
The hackers accessed credit card numbers for about 209,000 consumers, among other information.
Equifax chairman and CEO Richard Smith said the incident was “disappointing” and “one that strikes at the heart of who we are and what we do”.
“I apologize to consumers and our business customers for the concern and frustration this causes,” he said.
Equifax said it was working with law enforcement agencies to investigate and had hired a cyber-security firm to analyze what happened. The FBI is also believed to be monitoring the situation.
The company said it would work with regulators in the US, UK and Canada on next steps. It is also offering free credit monitoring and identity theft protection for a year.
Equifax said it had set up a website – www.equifaxsecurity2017.com – through which consumers can check if their data has been caught up in the breach. Many people trying to visit the site reported via social media that they had problems reaching it and that security software flagged it as potentially dangerous.
The breach is one of the largest ever reported in the US and, said experts, could have a significant impact on any Americans affected by it.
Equifax holds data on more than 820 million consumers as well as information on 91 million businesses.