Equifax: About those 400,000 UK records we lost? It's now 15.2M. Yes, M for MEELLLION

Brits will be warned by post, agency says

Updated Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million.

In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement on the matter. Instead it fell to Blighty's National Cyber Security Centre to reveal the bad news that a blundering American firm had put them at risk of phishing attacks.

“We are aware that Equifax was the victim of a criminal cyber attack in May 2017," the NCSC said in a statement today.

“Equifax have today updated their guidance to confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. NCSC advises that passwords are not re-used on any accounts if you have been told by Equifax that any portion of your membership details have been accessed.”

Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible. Names, home and email addresses, telephone numbers, and account recovery question and answers were swiped by the hackers, and will be a boon to phishers obtaining the records, the centre warned.

UK folks should be on the look out for phishing emails asking for their financial information or luring them to fake websites using their Equifax records to make the messages look legit. Recipients will likely get an email quoting their home address and some digits of their phone number to prove its authenticity.

Hackers got into Equifax's servers in May this year by exploiting a flaw in Apache Struts the credit agency had neglected to patch. It took until July, though, for the biz to find out it had been infiltrated, and it stayed quiet until early September when it admitted 143 million US citizens had their info exposed to miscreants. Some senior executives sold off their stock days before the world learned of the hack, conveniently. A week later, the biz said about 400,000 Brits had also been hit in the IT break-in.


You'd have thought that with that amount of time to play with, and the nature of the information involved, Equifax would have given a bravura performance in how to deal with a database security breach. Instead, to describe the company's response as a car crash is unfair to automakers. Its website detailing the hack, equifaxsecurity2017.com, looked so unofficial and rushed together that many initially feared it was a phishing site itself, and the credit agency later had to stress that signing up for free credit monitoring as a result of the attack would not waive your rights to sue.

Next, Equifax's chief security officer and chief information officer left the outfit – not fired but instead allowed to retire with their golden parachutes. Shortly before trying to blaming a single lowly IT staffer on the cockup, CEO Rick Smith also jumped ship, taking his $90m retirement pot with him.

In the meantime, outside investigators were checking up on Equifax's servers. Last week they upped the number of affected US citizens to 145.5 million, and that a probe into the UK side of things was still ongoing. The UK investigation ended on October 2, according to Equifax. Eight days later, the bad news comes out and hundreds of thousands of British peeps are now on high alert.

While it has lost three senior executives in well-compensated disgrace, it looks unlikely Equifax will face any further sanctions. After all, we're not customers of Equifax who can refuse to provide data for its servers – it just collects it all, one way or another, and sell it on to others.

The US government certainly doesn't seem interested in causing Equifax grief. Instead, its Internal Revenue Service awarded the biz a $7.5m no-bid contract last week to provide – you guessed it – identity verification services. With tough action like that, things will obviously get better. ®

Stop press

Just as we were hitting the publish button, Equifax emitted the following clarification, saying the actual number of people in the UK seriously affected is about 700,000 due to duplicated data:

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields. Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them. This complete, we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post.

The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.

Other stories you might like

  • HIV Scotland fined £10,000 for BCC email blunder identifying names of virus carriers

    Watchdog: Breach caused by 'serious deficiencies in technical and organisational measures'

    The United Kingdom's data watchdog is calling on organisations to review their "bulk email practices" after a BCC blunder by HIV Scotland incurred a £10,000 fine for breaking data protection regulations.

    The case pertains to an email that was sent to 105 individuals on the Community Advisory Network (CAN) list, which is made up of patient-advocates "from across Scotland to represent the full diversity of people living with HIV". In the offending chain, all of the email addresses were visible to all recipients and some 65 were people identified by name.

    Continue reading
  • Twitter's machine learning algorithms amplify tweets from right-wing politicians over those on the left

    Enginners and researchers don't know why

    Twitter's algorithms are more likely to boost right-wing content than left-wing posts from politicians and news publications, according to a recent study.

    A team of engineers working on Twitter's own ML Ethics, Transparency and Accountability (META) unit scraped millions of tweets of thousands of elected officials from seven different countries: US, Japan, UK, Canada, Germany, Spain, and France. They tracked how likely these posts made between 1 April 2020 and 15 August 2020 were to be placed in a higher rank in users' personal Twitter feeds using Twitter's algorithms.

    Tweets posted by politicians from right-wing parties were amplified more than those from left-wing parties in all countries except Germany. The effect was strongest for Canadian and British politics. For example, content from UK Labour MPs was amplified 112 per cent as opposed to the 176 per cent amplification of Conservative MPs' content; and Canada's Liberal party politicos were amplified 43 per cent versus 167 per cent for the Canadian Conservative party.

    Continue reading
  • Poor data sharing is holding back the UK court system's pandemic recovery, says National Audit Office

    Lack of data for planning also a problem, spending watchdog finds

    The UK court system's failure to implement its own recommendations for improving data sharing is holding back its recovery from the pandemic, according to a report from the National Audit Office (NAO).

    The government spending watchdog has reported on progress in reducing the backlog in criminal courts, which stood at 60,692 in the Crown Court in June, a 48 per cent increase on March 2020, when the first UK's pandemic lockdown was introduced.

    "The COVID-19 pandemic significantly affected the work of the criminal justice system and necessitated extensive changes in criminal courts to keep judges, court staff, and users safe," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2021