UPDATE Equifax Hack Confusion – Fears for UK Customers of BT and Other ISPs

Fears are growing that potentially up to 44 million consumers in the United Kingdom, including customers of BT and possibly other broadband providers, could be caught up in the huge personal data breach that hit US credit rating firm Equifax from May – July 2017 (details were only revealed last week!).

Last Thursday Equifax revealed that a vulnerability in their website had enabled hackers to steal masses of personal data from their server between mid-May and July 2017. At the time it was reported that the incident, which had first been discovered on 29th July 2017, may have affected up to 143 million customers in the USA.

Apparently the data that was exposed included names, social security numbers, dates of birth, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.

Richard F. Smith, Chairman and Chief Executive Officer, said:

“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes. We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident.”

At the time Equifax also claimed to have “identified unauthorized access to limited personal information” for certain UK and Canadian residents, although no further details were revealed. However reports since then have claimed that the firm handled data belonging to around 44 million consumers in the United Kingdom via clients such as British Gas, BT and Capital One etc.

A BT Spokesperson said:

“We are aware of the developing story and are monitoring the situation closely. Like many companies in the UK, BT uses Equifax services. We are working on establishing whether this breach has any impact on those services.”

Equifax is far from being a household name in the UK, which is hardly surprising as they’re often employed behind the scenes and a lot of ordinary consumers won’t have ever had cause to engage with them directly. However this also means that many people may overlook the news, based on the assumption that it’s nothing to do with them; except it’s now possible that the opposite may be true.

Naturally Equifax has been heavily criticised for taking such an absurdly long time to disclose the breach. Similarly there’s frustration at their seeming inability to confirm precisely how many consumers in the United Kingdom may be impacted, as well as which companies have been hit and what the “limited personal information” actually covers (we assume they must have some idea).

Consumers now face a anxious wait to find out whether or not their own details have been stolen. In the meantime Equifax has established a somewhat vague information website, which is comically called Equifax Security 2017 and doesn’t appear setup to handle citizens from the UK. Meanwhile the wait for answers continues.

UPDATE 15th September 2017

Equifax has confirmed that it is likely to need to contact fewer than 400,000 UK consumers in order to offer them appropriate advice and a range of services to help safeguard and reassure them. The investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016.

The information was restricted to: Name, date of birth, email address and a telephone number. Equifax has also confirmed that the data does not include any residential address information, password information or financial data. The compromised UK consumer data does not relate to any single Equifax business client or institution.

Patricio Remon, President at Equifax Ltd., said:

“We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward.”

Due to the nature of the information “Equifax believes identity takeover is unlikely for the UK consumers who had their data potentially accessed in this incident“. The company said that it “will be proactively contacting impacted customers in writing to offer them a free comprehensive identity protection service which will allow them to monitor their personal data, including their credit information and be alerted to any potential signs of fraudulent activity.”

The investigation is ongoing and Equifax added that they were “in dialogue” with the Financial Conduct Authority and Information Commissioner’s Office.