Updated Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million.
In true buck-passing fashion, at the time of writing, Equifax hadn't even released a public statement on the matter. Instead it fell to Blighty's National Cyber Security Centre to reveal the bad news that a blundering American firm had put them at risk of phishing attacks.
“We are aware that Equifax was the victim of a criminal cyber attack in May 2017," the NCSC said in a statement today.
“Equifax have today updated their guidance to confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. NCSC advises that passwords are not re-used on any accounts if you have been told by Equifax that any portion of your membership details have been accessed.”
Any answers to security questions – such as your mother's maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible. Names, home and email addresses, telephone numbers, and account recovery question and answers were swiped by the hackers, and will be a boon to phishers obtaining the records, the centre warned.
UK folks should be on the look out for phishing emails asking for their financial information or luring them to fake websites using their Equifax records to make the messages look legit. Recipients will likely get an email quoting their home address and some digits of their phone number to prove its authenticity.
Hackers got into Equifax's servers in May this year by exploiting a flaw in Apache Struts the credit agency had neglected to patch. It took until July, though, for the biz to find out it had been infiltrated, and it stayed quiet until early September when it admitted 143 million US citizens had their info exposed to miscreants. Some senior executives sold off their stock days before the world learned of the hack, conveniently. A week later, the biz said about 400,000 Brits had also been hit in the IT break-in.
You'd have thought that with that amount of time to play with, and the nature of the information involved, Equifax would have given a bravura performance in how to deal with a database security breach. Instead, to describe the company's response as a car crash is unfair to automakers. Its website detailing the hack, equifaxsecurity2017.com, looked so unofficial and rushed together that many initially feared it was a phishing site itself, and the credit agency later had to stress that signing up for free credit monitoring as a result of the attack would not waive your rights to sue.
Next, Equifax's chief security officer and chief information officer left the outfit – not fired but instead allowed to retire with their golden parachutes. Shortly before trying to blaming a single lowly IT staffer on the cockup, CEO Rick Smith also jumped ship, taking his $90m retirement pot with him.
In the meantime, outside investigators were checking up on Equifax's servers. Last week they upped the number of affected US citizens to 145.5 million, and that a probe into the UK side of things was still ongoing. The UK investigation ended on October 2, according to Equifax. Eight days later, the bad news comes out and hundreds of thousands of British peeps are now on high alert.
While it has lost three senior executives in well-compensated disgrace, it looks unlikely Equifax will face any further sanctions. After all, we're not customers of Equifax who can refuse to provide data for its servers – it just collects it all, one way or another, and sell it on to others.
The US government certainly doesn't seem interested in causing Equifax grief. Instead, its Internal Revenue Service awarded the biz a $7.5m no-bid contract last week to provide – you guessed it – identity verification services. With tough action like that, things will obviously get better. ®
Just as we were hitting the publish button, Equifax emitted the following clarification, saying the actual number of people in the UK seriously affected is about 700,000 due to duplicated data:
Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields. Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them. This complete, we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post.
The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.