- Equifax said data on 143 million U.S. customers was obtained in a breach.
- The breach was discovered July 29.
- Personal data including birth dates, credit card numbers and more were obtained in the breach.
- Three Equifax executives sold shares in the company days after the breach was discovered.
Equifax, which supplies credit information and other information services, said Thursday that a data breach could potentially affect 143 million consumers in the United States.
The population of the U.S. was about 324 million in 2017, according to Census Bureau estimates, which means the Equifax incident affects a huge portion of the country.
Equifax said it discovered the breach on July 29. "Criminals exploited a U.S. website application vulnerability to gain access to certain files," the company said.
SEC filings show that three Equifax executives – Chief Financial Officer John Gamble Jr., workforce solutions president Rodolfo Ploder and U.S. information solutions president Joseph Loughran – sold nearly $2 million in shares in the company days after the cyberattack was discovered. It was unclear whether their share sales had anything to do with the breach.
Equifax said in a statement that the three executives sold a "small percentage" of their shares on Tuesday, August 1, and Wednesday, August 2, adding they "had no knowledge that an intrusion had occurred at the time they sold their shares."
The SEC declined to comment on the share sales.
Shares of Equifax fell more than 12 percent in after-hours trading.
The company said the exposed data include names, birth dates, Social Security numbers, addresses and some driver's license numbers, all of which Equifax aims to protect for its customers.
Equifax added that 209,000 U.S. credit card numbers were obtained, in addition to "certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers."
"This is a security risk for any and every website that anyone uses," Christopher O'Rourke, founder and CEO of cybersecurity firm Soteria, told CNBC.
"Most often, security questions to access those websites use that data, like a previous address, so this becomes an open-source intelligence nightmare, worse in many ways than the Office of Personnel Management government breach. It's nasty. If I can get my hands on that information I can call a bank. They're going to ask me for your Social, address, the information that was leaked here, to get access."
Equifax Chairman and CEO Richard Smith apologized to consumers and customers and noted that he's aware the breach affects what the company is supposed to protect.
Equifax said it is now alerting customers whose information was included in the breach via mail, and is working with state and federal authorities. Its private investigation into the breach is complete. NBC News, citing law enforcement sources, reported that the FBI was actively investigating the incident and that the company has been cooperating with the bureau.
Join CNBC, the Aspen Institute and the most influential cybersecurity players from government, business and tech at the Cambridge Cyber Summit, October 4 in Boston.
Correction: A previous version of this story misidentified the Office of Personnel Management.
— CNBC's Mike Calia contributed to this report.