Equifax reveals millions affected in data breach

By Marianne Curphey


Equifax has revealed how many UK customers were affected by the data breach that took place in September 2017, but that just leaves more questions.

When a file containing 15.2 million UK records dating from between 2011 and 2016 was hacked, consumer details, as well as other data relating to Equifax's databases, were stolen, Equifax said in a statement.

Between September and October, Equifax used external agencies to identify which UK customers were most affected, and the company said it will now be corresponding with nearly 700,000 affected customers.

Here's an FAQ about the new data breach information:

Q: Is the investigation complete?
John Greenwood, executive director of security firm Compliance 3, said Equifax completed its forensic investigation of the breach and would now be in talks with the information watchdog, the Information Commissioners Office (ICO).

However, consumers are not out of the woods.

"The reality is that the information that was stolen is now out there and being sold on the dark web," he said. "Personal information is being bought and sold by criminals."

Q: Should I expect a telephone call from Equifax?
No. Equifax said it will not be making any outbound telephone calls to consumers. Correspondence will be by post.

Equifax says it will not ask consumers for money or cite personal details to seek financial information. If you receive a phone call or any requests for personal details, do not give out any information, as it is likely a fraudster.

Q: What information was stolen?
David Morrow, founder of Fraudfit, said that the information stolen from Equifax appears to be password information and phone numbers from 2014.

If that is the case, he said, most customers should have changed password information since then, or have been prompted by Equifax to do so.

"It's a big number of people affected, but not the biggest," he said. "The most worrying aspect of this is that someone was able to get at that information, even if it was old information from several years ago."

It is not clear whether the accessed information was encrypted or not, but if it was not, that is an issue of concern, he said.

"It has increased the risk for the people in the groups who were affected by the data breach," he said. "If the information existed unencrypted, how many other organisations might have similar vulnerabilities?"

Q: What is Equifax offering to those affected?
Equifax has begun sending letters to affected customers offering them free safeguards via Equifax and third parties with instructions on how to get started.  A total of 693,665 consumers will be contacted:

  • 12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014.
  • 14,961 consumers who had portions of their Equifax.co.uk membership from 2014.
  • 29,188 consumers who had their driving licence number accessed.

Contacted customers will be able to sign up to get Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third-party organisations will be offered at no cost to consumers.

There were also 637,430 consumers who had their phone numbers accessed and these consumers will be offered an identify monitoring service for free, Equifax said.

The remainder of the 14.5m records accessed by the fraudsters may contain the names and dates of birth of certain UK consumers, but Equifax does not believe people in this group are at risk.

"It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed," Patricio Remon, president for Europe at Equifax Ltd (UK), said in a press statement.

Q: What are some other consequences of the breach?
Morrow said other consequences of the breach would be inconvenience for customers, and a waste of management time trying to fix the issue rather than focussing on the business.

Q: How can I find out more?
Customers can call a Freephone number at 0800 587 1584 for more information. When UK.CreditCards.com called this number, it was answered by a call centre in Manilla, the Philippines.

The call centre operative said that she could only answer questions from callers who had received a letter from Equifax, and said that the ID protection service on offer to affected customers would be free for 12 months.

She gave the website help page address as www.equifax.co.uk/ask, which is a customer service page requiring a customer login or registration.

Consumers also will be able to contact Equifax online or via a dedicated telephone line seven days a week. This applies to those who receive a letter from Equifax and wish to take up one of the ID protection services on offer, those who have any further questions, or those who are concerned that they may have been affected.

The ICO has said that if people think their financial details have been compromised, they should immediately notify their bank or card company. Anyone who thinks they have been a victim of cybercrime should contact Action Fraud.

See related: Online financial scams you should know about, How the fight against fraud impacts card users

Published: 11 October 2017