Some of the 15 million Britons affected by the Equifax mega-hack are only now receiving letters notifying them that they were affected by the breach, eight months after the event.
As we reported in September 2017, Equifax confessed to having been hacked, upping the number of affected people in the following weeks to a 145 million total (last month, it upped it again by another 2.4 million) as it got to grips with the scale of the breach.
It later involuntarily retired its chief exec, who graciously blamed the entire thing on a single IT staffer who hadn’t installed an Apache Struts patch issued in the weeks before the hack.
Although Equifax began writing to affected Britons in October, it appears the company is still in the process of posting letters to hack victims warning them to be on their guard.
"I’m just fucked off it's taken this long to tell me!" spluttered Reg reader John, who received the letter above earlier this week. Others in the UK have also been receiving similar letters, as a cursory glance at one particularly well-known microblogging website shows:
In February Equifax also quietly coughed to American government agencies that the hacked data included US citizens’ taxpayer ID numbers, phone numbers, email addresses and credit card expiry dates. Despite public sector outrage at this in the US, a proposed investigation was quietly dropped, with nobody involved admitting why.
Sole Equifax security worker at fault for failed patch, says former CEOREAD MORE
The British government’s pet Peeping Tom agency, GCHQ, issued a statement through its public-facing National Cybersecurity Centre offshoot warning Brits not to re-use passwords that were previously used on Equifax services, as well as other security-sensitive data such as answers to password reset questions. Other obvious attack vectors include phishing attempts such as emails luring the unwary into clicking on links to attack websites designed to steal login information.
We have contacted Equifax for comment and its PR agency has promised to send us a timeline of the credit reference agency's efforts to contact hack victims. We will update this article if it responds. ®
Equifax eventually got round to telling us this:
In early September 2017, Equifax Ltd.’s US parent company announced it had been the victim of a criminal cyberattack. Although UK systems were not breached, the attack compromised the personal information of some UK consumers.
A file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident.
On 10th October 2017, Equifax Ltd. announced that it would be writing to 693,665 UK consumers whose information was included in the files that were attacked.
Equifax also took the decision to write to a further 167,431 UK consumers whose landline telephone numbers are already published in the public Phone Book but were accessed as part of the cyberattack. These letters were issued end of January 2018.
In addition, Equifax sent out reminder letters between 5th March and 17th April.