Equifax mega-data breach hits 700,000 U.K. customers
"Consumer credit reporting agency Equifax was hit by a 'mega-breach' discovered in July 2017 which has hit 700,000 U.K. consumers."
Files containing a monumental 15.2 million U.K. data records between 2011 and 2016 were illegally accessed.
Hackers were able to steal information for months after technicians at Equifax Inc failed to apply vital security patches to known-vulnerabilities. Around 145 million U.S. customers were also hit by the breach as well as the 700,000 U.K. victims.
Patricio Remon, European President of Equifax Ltd, expressed his "sincere personal apologies to anyone who has been impacted by this incident". As a financial reporting agency who collect and aggregate data for over 800 million individual consumers and 88 million businesses worldwide, Equifax are expected to uphold the highest of standards when it comes to cybersecurity; yet hackers were able to break in to their systems with relative ease off the back of a well-known and highly publicised security flaw.
This is a serious breach that should have been prevented. Share values reportedly dropped by 14% after news broke of the breach, and there are reports of suspicious share sales just before the scandal emerged in the news as well...
What data has been hacked?
A wealth of data has been hacked - we're talking 15.2 million data records for almost 700,000 U.K. customers. This is a mega-breach that could easily go down in history.
Some 9,725 partially-redacted unique credit card numbers were accessed, as well as 29,188 driving license numbers. This is worrying news.
14,961 victims had their Equifax membership details like usernames, passwords, secret questions and answers, and partial credit card details exposed, with 637,430 phone numbers accessed and 12,086 email addresses associated with Equifax accounts hacked.
Combinations of the stolen data can easily arm scammers, fraudsters, and phishers with enough information to do serious harm. With the largest hacked file containing 14.5 million data records, the Equifax Data Breach is set to go down in history as one of the worst.
Who is affected?
Equifax initially thought the hacked data was limited to the 145 million U.S. customers given the data was stolen from servers in America. However, they later admitted that around 300,000 U.K. customers were also affected, but this figure quickly grew to 400,000 in a press release in September.
In a letter to the FCA, Equifax eventually admitted the actual figure was more than double what they originally thought, having identified 693,665 U.K. customers affected.
That being said, in relation to one of the hacked files, they accepted that "It is not possible to accurately identify how many individuals this relates to".
Risks to victims
Equifax acknowledge there are victims at the "highest risk of identity theft" given the nature of the information stolen. With such sensitive information from a credit reporting company being accessed for a prolonged period of time, there is a real risk of serious crimes being committed against victims, such as:
- Identify theft (we understand at least one person has already come forward and alleged)
- Cold-call scams using information obtained from the hack
- Email phishing scams using information obtained from the hack
- Data held for ransom (we understand at least one person has already come forward and alleged)
- Other financial fraud
As we often warn, even a little information can go a long way for a fraudster. With the wealth of highly sensitive financial and personal information stolen, victims of the Equifax Breach are at a real risk of serious financial crimes committed against them.
The U.K.'s Financial Conduct Authority (FCA), who regulate the U.K. company Equifax Limited, said:
"Credit reference agency firms are subject to the high level principles of the FCA regulatory regime, which include requirements on treating customers fairly and on ensuring adequate risk management, systems and controls. They are also subject to relevant data protection legislation which is enforced by the Information Commissioner's Office (ICO)."
How the hack happened
Suspicious activity was discovered by Equifax Limited's parent company, Equifax Inc, on 29 July 2017, and they hired cybersecurity firm Mandiant to investigate the concerns.
What they found was harrowing...
Equifax blamed the hack on a "combination of human error and technological error" after a technician failed to apply a security patch for the "CVE-2017-5638" vulnerability discovered in March 2017. On top of that, security scanners failed to detect the vulnerability remained.
It has since been discovered that hackers had access to the database between mid-May and the end of July - a period of around ten weeks where private and sensitive information was dangerously exposed.
In a letter to the U.K.'s Chair of the Treasury Committee, Equifax admitted the hack was caused by the "failure of Equifax Inc personnel to apply an upgrade to the Equifax Inc US consumer dispute portal in March 2017. The technological error involved a scanner which failed to detect the vulnerability on this particular portal after the upgrade should have been made".
In terms of how U.K. victims have been caught up in the breach, it has been described as a "process error" that led to historic U.K. customers' information being retained in the U.S. after customer identity validation checks were carried out. This in itself may amount to a breach, and we're investigating what right the U.K. arm of the company had to transfer U.K. customer information to the U.S. parent company, Equifax Inc.
Regulators apply pressure on Equifax
The U.K.'s Financial Conduct Authority (FCA) and Information Commissioners' Office (ICO) are working together to investigate the breach, and have already raised concerns over how Equifax handled the discovery of the breach and the delay in warning authorities and consumers. Astonishingly, the U.K. regulators were only made aware of the breach via the media on 8th September 2017 because Equifax failed to warn them.
It's further understood that Equifax set up a bespoke "breach notification" website for customers to check if they were affected. However, internet security software deemed the site to be a potential "phishing site", creating further confusion and concern for victims involved.
But things got worse...
The site set up by Equifax, named "equifaxsecurity2017.com", was deemed by cybersecurity experts to be a risky move, and to prove a point, a researcher set up a website with a similar domain, named "securityequifax2017.com". His point was catastrophically proven when even the official Twitter account for Equifax inadvertently linked people to the wrong site; i.e. the dummy site set up by the researcher, resulting in further backlash from angered victims.
To press home the point, the fake webpage headline stated:
"Cybersecurity Incident & Important Consumer Information which is Totally Fake, why did Equifax use a domain that's so easily impersonated by phishing sites?"
With Equifax already acknowledging that the biggest risk to victims is phishing scams, the creation of the website has been heavily criticised. Their eventual move to notifying victims by post welcomed by regulators in efforts to prevent people falling victim to electronic phishing scams arising from the breach.
We're taking cases on!
Our team has received a number of enquiries from people affected by the Equifax Data Breach. We've already taken cases on, and if you've been affected by the Equifax hack, contact us today for help and advice.
We're aware that Equifax are offering a "free comprehensive ID protection service" to some victims, which we find is a standard offer nowadays off the back of major breaches. You may be entitled to financial compensation as a victim of the Equifax breach as well, especially if you've been targeted by fraudsters.
Our team are incredibly worried about the phishing scams and fraudulent activity that typically follows a breach of this nature. A number of TalkTalk hack victims were contacted by scammers who had enough information about their accounts to convince them they were calling from TalkTalk, and thousands of pounds were consequently stolen.
Can you claim?
Equifax acknowledge that many victims risk "unwanted cold calling" like we saw after the TalkTalk hack. Whist they say that any complaints will be "investigated fairly and promptly" with the aim to provide fair treatment to victims involved, we understand they're not looking at compensation for victims.
This is usual, and that's where we come in.
We're investigating the hack and we believe there is a case to answer for. Equifax have clearly failed to secure sensitive information, and we'll be taking issue with the data of U.K. victims being moved abroad.
We've already accepted cases and we may be able to help you too. Our team have years of experience at the forefront of data protection compensation, having helped victims of the infamous 56 Dean Street clinic leak as well as helping victims of well-known hacks similar to the Equifax Breach, such as the TalkTalk hack and the Three hack.
For help and advice, please contact our team on 0800 634 75 75 or by using the form below.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with a * are required.
Latest Blogs from The Data Leak Lawyers
Here's a question that we can answer - can the ICO investigate the police? If they can, how do people get the justice that th...Jan 24, 2020
In some cases, those small and simple data breaches can actually be the worst; especially when the context of the incident is...Jan 23, 2020
An NHS data protection breach can be absolutely devastating for the victim, and it's important that people know their rights ...Jan 22, 2020
As a leading, specialist data breach compensation law firm, we're often in the news. Last week, we featured in the Mirror wit...Jan 21, 2020
Need to do a BA data breach check to find out if you can join the official group action that we're on the Steering Committee ...Jan 20, 2020
There's now just one year left to sign-up for a legal case before the BA data breach compensation deadline passes. You may...Jan 17, 2020
We represent victims for police breach data protection breach compensation claims, and we can offer No Win, No Fee arrangemen...Jan 16, 2020