The personal details of more than 140 million people, mostly in the US, have been accessed in an attack on Equifax.
The breach happened between mid-May and July.
Names, social security numbers, birth dates, addresses, driver's licence numbers, credit card numbers and dispute documents with personal information were accessed.
Equifax chairman and CEO Rick Smith says it's a disappointing event and one that strikes at the heart of who the company is and what it does.
He deeply regrets the incident and apologises to every affected consumer and all of Equifax's partners.
Investors bailed out on Equifax Friday after the credit monitoring company said a data breach exposed the Social Security numbers and other personal data of 143 million Americans.
Equifax shares fell nearly 14 per cent to US$123.23 in heavy trading. The decline equates to about US$2.35 billion in lost market value.
The company is one of three major US credit bureaus, the declines extended to its competitors. TransUnion fell 4 per cent and Experian stock declined 1 per cent in London.
Lenders rely on the information collected by the credit bureaus to help them decide whether to approve financing for homes, cars and credit cards. Credit checks are even sometimes done by employers when deciding whom to hire for a job.
Corporate culture a factor in Equifax breach?
Equifax is blaming an unspecified "website application vulnerability" in hackers' ability to get personal information on 143 million Americans. Security experts say it's hard to say for sure without more information, but such vulnerabilities typically don't require a lot of sophistication to exploit.
Rich Mogull, who runs the security research firm Securosis, says the web app breach suggests "things are broken down in a couple of different areas." He says someone likely made a programming or configuration mistake, but corporate culture could also be a factor. Often, he says, corporate security is underfunded or isn't given the authority to make sure application developers do what's right.
Ryan Kalember of the security company Proofpoint says that even if the vulnerability was known and fixable, "coordination between app developers and security teams in a lot of organizations are not on the best of terms."
Equifax disclosed Thursday that a breach exposed personal information, including Social Security numbers, on 143 million Americans.
A second House committee has committed to holding a congressional hearing to examine an Equifax data breach compromising the personal data of millions of Americans. Greg Walden, the US Republican chairman of the House Energy and Commerce Committee, says that after receiving an initial briefing from Equifax, he has decided to hold a hearing examining what wrong and how to better protect against future hackings.
Walden calls the breach unprecedented and says it could affect tens of millions of Americans. He says the breach raises serious questions about the security of personal information online.
Walden says the committee will continue to get briefings from Equifax and work with company officials to determine an appropriate date for the hearing. The House Financial Services Committee has also announced plans for a hearing.
A security expert says a website created by credit monitoring company Equifax to help its customers find out if their personal information was stolen after a massive data breach raises its own security questions.
Georgia Weidman, the founder and chief technology officer for security firm Shevirah, says the website Equifax created looks like the kind of website set up by attackers to trick people into disclosing information.
Weidman says it's teaching people "entirely the wrong things about using the internet securely."
Weidman says she's troubled by Equifax's approach to security generally, including reports that it didn't respond to basic scripting bugs it was warned about last year.
- additional reporting AP.