The impact of the Equifax data leak in the UK remains unclear days after the breach was first made public, amid reports estimating that the personal details of up to 44 million Brit could have been exposed.
The credit reference agency and its UK subsidiaries provide services for UK companies including BT, Capital One and British Gas. Customers of these companies might, as such, be affected by the attack despite not having signed up for Equifax's services.
The US agency holds the personal details of 44 million UK citizens, the Daily Telegraph has reported. What percentage of these users are affected remains unclear and unconfirmed.
BT confirmed it was a user of Equifax services and told us it was in dialogue with Equifax about the data leakage. A BT spokesman told El Reg he was unable to share more at this point.
Data privacy watchdogs at the Information Commissioner's Office (ICO) have advised Equifax to alert affected UK customers as soon as possible. Notification in such cases is not mandatory under current UK data protection laws.
A spokeswoman at the ICO was not able to provide any guidance on the extent to which UK consumers were affected by the breach when we called.
In a breach disclosure notice last Thursday, Equifax said criminal hackers had exposed the personal data of 143 million customers in the US, which was stolen between mid-May and late July this year after taking advantage of an (unspecified) “web application vulnerability”.
Industry talk this weekend indicated hackers might have exploited a recently disclosed flaw in Apache Struts but this was denied by Apache Software Foundation earlier today, as previously reported.
According to Equinox, the purloined US data includes names, social security numbers, dates of birth, addresses and, in some instances, driver's licence numbers. In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.
Equifax has also admitted without going into details that "limited personal information" from British and Canadian residents had been compromised.
El Reg put in a query to Equifax’s UK PR representatives asking for clarification on what information belonging to UK consumers had been exposed and how many had been affected. Our query was redirected towards a central (crisis management) PR team, which we understand is US-based.
We’ll update this story as more pertinent information comes to light.
Equifax’s dedicated breach-handling site can be found here. In updates on Friday, Equinox said it had drafted more people to work in its call centres. ®