Equifax has finally begun to address the impact of its data breach on UK customers. It has admitted that a file containing: “15.2m UK records dating from between 2011 and 2016 was attacked in this incident.” It goes on to say that some or all of those customers may have had their names and date of birth captured by hackers.
For 693,665 consumers there is worse news. They have had data such as email address, username, password and even partial credit card data taken. Equifax is to contact these customers and offer them different degrees of protection. It has decided that the risk to the remaining 15.2 million customers does not warrant offering them any support, or even notification.
In a statement Patricio Remon, President for Europe at Equifax Ltd (UK), said: “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
“It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
“I urge anyone who receives a letter from Equifax to take advantage of the remedial services being offered to help mitigate against any risk, or to contact us should you have any questions.”
What was stolen and what services will Equifax provide?
As already stated, the services and support from Equifax will depend on what data has been taken. The breakdown, as taken from the press release is below:
|Consumer groups||Remedial action|
|12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed
14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details – from 2014 accessed
29,188 consumers who had their driving licence number accessed
|We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organisations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.|
|637,430 consumers who had their phone numbers accessed||Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.|
When the breach was first announced, Equifax insisted that no UK consumer had lost any significant data. It explicitly denied claims that passwords and credit card data was taken. This has now proven to be false. It will be interesting to see if the UK regulator decides to investigate further and see when Equifax knew its claim was inaccurate.
It also claimed that no more than 400,000 UK consumers were affected. With that number jumping to 693,665, there will be concern that it had no clue what data was originally in the lost data file. This will also be something that will interest the ICO as it suggests governance controls over data movement are not fit for purpose.
What does this mean
With the Mandiant investigation into the data breach complete, Equifax is releasing selected sets of data. Last week it went public about the impact on US and Canadian customers. This week it is addressing the UK. So far, the position is that these are the only countries from whom data is involved. The UK is affected because of data transferred to the US prior to 2014.
As expected, the details of the investigation paint a far worse picture than Equifax had previously admitted to. The number of affected users and the type of data lost has increased well above initial Equifax estimates. This is common in most data breach situations. The investigation has also exposed a lack of data governance and compliance in the way Equifax patched its systems.
In the US there are a number of lawsuits now pending not just from individuals but from larger organisations. These are likely to have a serious impact on the company. So far there has been no move to launch a class action lawsuit but it would be a surprise if that doesn’t happen.
Surprisingly there is no sign that Equifax has yet been hit with a large number of Subject Access Requests (SAR). These allow an individual to discover just what data a company is holding on them. It can also be used to get a list of who has accessed that data. At the moment such a move costs just £10 and companies must respond in no more than 40 days. When GDPR comes into force next year it will be free and companies have just a month to respond.
There is also no sign of consumers demanding that Equifax remove their data from its system.
Both of these would have a significant impact on Equifax. A surge of SAR requests would cost it time and money to deal with. Demands to remove data would impact its core business and potentially send customers elsewhere.
The key question is has it done enough to stop the bleeding? That remains to be seen.