Equifax says that three company executives who sold stock just days after the company discovered a major security breach were not aware of the hack at the time.
On Thursday (7 September), the company disclosed a cyberattack that ran from mid-May to July. The attack exposed the Social Security numbers and other sensitive information of about 143 million Americans. Equifax said it detected the hack on 29 July .
On 1 August and 3 August, Equifax Chief Financial Officer John Gamble and two other executives, Rodolfo Ploder and Joseph Loughran, sold a combined $1.8 million (£1.4m) in stock.
In a statement, the company said the executives "had no knowledge that an intrusion had occurred at the time they sold their shares".
Bloomberg News first reported the divestitures. The sales effectively insulated the executives from a downturn in Equifax's stock Thursday.
The stock dropped 13% in extended trading after the announcement of the breach. It said consumers' names, Social Security numbers, birth dates, addresses and, in some cases, driver's license numbers were exposed.
Credit card numbers for about 209,000 US consumers were also accessed. The company said hackers also accessed some "limited personal information" from British and Canadian residents.
Equifax said it doesn't believe that any consumers from other countries were affected.
The purloined data can be enough for crooks to hijack the identities of people whose credentials were stolen through no fault of their own, potentially wreaking havoc on their lives.
Equifax said its core credit-reporting databases don't appear to have been breached.
"On a scale of one to 10, this is a 10 in terms of potential identity theft," said Gartner security analyst Avivah Litan. "Credit bureaus keep so much data about us that affects almost everything we do."
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.
The company established a website, https://www.equifaxsecurity2017[dot]com/, where people can check to see if their personal information may have been stolen.
Experian is also offering free credit monitoring to all US consumers for a year.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Equifax CEO Richard Smith said in a statement. "I apologise to consumers and our business customers for the concern and frustration this causes."
This isn't the biggest data breach in history.
That indignity still belongs to Yahoo, which was targeted in at least two separate digital burglaries that affected more than 1 billion of its users' accounts throughout the world. But no Social Security numbers or drivers' license information were disclosed in the Yahoo break-in.
Equifax's security lapse could be the largest theft involving Social Security numbers, one of the most common methods used to confirm a person's identity in the US. It eclipses a 2015 hack at health insurer Anthem that involved the Social Security numbers of about 80 million people.