Equifax says 15.2m UK records exposed in hack

  • Liam Tung (CSO Online)
  • 11 October, 2017 07:10

US credit reporting bureau Equifax has revealed that 15.2 million UK records were stolen in the breach it said occurred in May and disclosed in September. 

Within that figure Equifax confirmed that 693,665 UK customers could now be at risk of identity theft, which is almost double the “fewer than 400,000” the company originally estimated after revealing the breach on September 7. 

Reuters reports that 14.5 million of the 15.2 million exposed records did not contain sensitive information.    

Passwords and partial credit-card information belonging to 15,000 UK customers were also exposed, according to the Financial Times. The hackers also accessed the phone numbers of most of the nearly 700,000 citizens, while around 30,000 drivers license numbers were exposed. 

Equifax previously said that no password information or financial data was exposed -- only names, dates of birth, email addresses, and telephone numbers.  

As Equifax previously announced, the UK records were exposed in the breach of computers at Equifax’s US headquarters due to a “process failure” between 2011 and 2016 that resulted in their storage in the US. 

Equifax says the failure that led to UK data being stored in the US was corrected in 2016, suggesting that the company hadn't deleted the UK data by the time the breach occurred in May.   

Equifax is now in the process of sending a letter to nearly 700,000 affected UK citizens to offer free ID protection services from it and third-party providers.

The UK’s Financial Conduct Authority (FCA), privacy watchdog the Information Commissioner’s Officer, and the National Crime Agency (NCA) are investigating the breach. 

The UK’s National Cyber Security Centre (NCSC) issued updated advice in response to new information that UK customer password data was stolen. 

“If you have been told by Equifax that security details from your membership account – such as password and secret questions - have been accessed, you should ensure those details are not used on any other accounts,” it said in a statement. 

NCSC also warned that Brits affected by the data breach could be subject to more “targeted and realistic” phishing attempts using details exposed in the breach, including cold calling scams, and phishing email that claim to be legitimate by displaying the month of the recipient’s birthdate and the last three digits of their phone number. 

“The NCSC, with Equifax and partners including the NCA, ICO and FCA, continues to examine this incident and should further information come to light about the extent and nature of the impact on the UK, we will provide further updates and advice as soon as we can,” it said.