Credit agency Equifax has admitted that data from 143 million customers may have been compromised in a security breach earlier this year.
US, UK and Canadian residents are among those to have their details accessed through a website application vulnerability.
The attack was discovered to have run from mid-May until 29 July, but the US company has taken 40 days to inform customers that their personal details were compromised.
Three senior executives at the company – which is listed on the New York Stock Exchange – sold shares worth almost $1.8m before the breach was publicly disclosed.
According to Bloomberg they had not been informed of the incident at this point.
The firm’s shares dropped 12.4% in after-hours trading when the data breach was announced.
Names, social security numbers, birth dates, addresses and in some instances driving license numbers were stolen, as were credit card numbers for more than 200,000 people.
The company’s chief executive, Richard Smith, said: “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do.
“I apologise to consumers and our business customers for the concern and frustration this causes.”
According to Twitter user @x0rz, a cross-site scripting (XSS) vulnerability on Equifax’s website was still working despite being reported in 2016.
XSS vulnerabilities are a common issue with web applications and can allow attackers to bypass access controls and view data they do not have authorisation to access.
Equifax said that it had reported the breach to US law enforcement, and would “work with UK and Canadian regulators to determine appropriate next steps”.
The UK regulator, the Information Commissioner’s Office (ICO), fined TalkTalk a record £400,000 in 2016 after insufficient security allowed hackers to access information belonging to more than 156,000 customers.
Equifax did not state how many UK consumers were affected by the breach.
ICO Deputy Commissioner James Dipple-Johnstone told Sky News: “Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern.
“We are already in direct contact with Equifax to establish the facts including how many people in the UK have been affected and what kind of personal data may have been compromised.
“We will be advising Equifax to alert affected UK customers at the earliest opportunity.
“In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”