Equifax mega-data breach hits 700,000 U.K. customers
"Consumer credit reporting agency Equifax was hit by a 'mega-breach' discovered in July 2017 which has hit 700,000 U.K. consumers."
Files containing a monumental 15.2 million U.K. data records between 2011 and 2016 were illegally accessed.
Hackers were able to steal information for months after technicians at Equifax Inc failed to apply vital security patches to known-vulnerabilities. Around 145 million U.S. customers were also hit by the breach as well as the 700,000 U.K. victims.
Patricio Remon, European President of Equifax Ltd, expressed his "sincere personal apologies to anyone who has been impacted by this incident". As a financial reporting agency who collect and aggregate data for over 800 million individual consumers and 88 million businesses worldwide, Equifax are expected to uphold the highest of standards when it comes to cybersecurity; yet hackers were able to break in to their systems with relative ease off the back of a well-known and highly publicised security flaw.
This is a serious breach that should have been prevented. Share values reportedly dropped by 14% after news broke of the breach, and there are reports of suspicious share sales just before the scandal emerged in the news as well...
What data has been hacked?
A wealth of data has been hacked - we're talking 15.2 million data records for almost 700,000 U.K. customers. This is a mega-breach that could easily go down in history.
Some 9,725 partially-redacted unique credit card numbers were accessed, as well as 29,188 driving license numbers. This is worrying news.
14,961 victims had their Equifax membership details like usernames, passwords, secret questions and answers, and partial credit card details exposed, with 637,430 phone numbers accessed and 12,086 email addresses associated with Equifax accounts hacked.
Combinations of the stolen data can easily arm scammers, fraudsters, and phishers with enough information to do serious harm. With the largest hacked file containing 14.5 million data records, the Equifax Data Breach is set to go down in history as one of the worst.
Who is affected?
Equifax initially thought the hacked data was limited to the 145 million U.S. customers given the data was stolen from servers in America. However, they later admitted that around 300,000 U.K. customers were also affected, but this figure quickly grew to 400,000 in a press release in September.
In a letter to the FCA, Equifax eventually admitted the actual figure was more than double what they originally thought, having identified 693,665 U.K. customers affected.
That being said, in relation to one of the hacked files, they accepted that "It is not possible to accurately identify how many individuals this relates to".
Risks to victims
Equifax acknowledge there are victims at the "highest risk of identity theft" given the nature of the information stolen. With such sensitive information from a credit reporting company being accessed for a prolonged period of time, there is a real risk of serious crimes being committed against victims, such as:
- Identify theft (we understand at least one person has already come forward and alleged)
- Cold-call scams using information obtained from the hack
- Email phishing scams using information obtained from the hack
- Data held for ransom (we understand at least one person has already come forward and alleged)
- Other financial fraud
As we often warn, even a little information can go a long way for a fraudster. With the wealth of highly sensitive financial and personal information stolen, victims of the Equifax Breach are at a real risk of serious financial crimes committed against them.
The U.K.'s Financial Conduct Authority (FCA), who regulate the U.K. company Equifax Limited, said:
"Credit reference agency firms are subject to the high level principles of the FCA regulatory regime, which include requirements on treating customers fairly and on ensuring adequate risk management, systems and controls. They are also subject to relevant data protection legislation which is enforced by the Information Commissioner's Office (ICO)."
How the hack happened
Suspicious activity was discovered by Equifax Limited's parent company, Equifax Inc, on 29 July 2017, and they hired cybersecurity firm Mandiant to investigate the concerns.
What they found was harrowing...
Equifax blamed the hack on a "combination of human error and technological error" after a technician failed to apply a security patch for the "CVE-2017-5638" vulnerability discovered in March 2017. On top of that, security scanners failed to detect the vulnerability remained.
It has since been discovered that hackers had access to the database between mid-May and the end of July - a period of around ten weeks where private and sensitive information was dangerously exposed.
In a letter to the U.K.'s Chair of the Treasury Committee, Equifax admitted the hack was caused by the "failure of Equifax Inc personnel to apply an upgrade to the Equifax Inc US consumer dispute portal in March 2017. The technological error involved a scanner which failed to detect the vulnerability on this particular portal after the upgrade should have been made".
In terms of how U.K. victims have been caught up in the breach, it has been described as a "process error" that led to historic U.K. customers' information being retained in the U.S. after customer identity validation checks were carried out. This in itself may amount to a breach, and we're investigating what right the U.K. arm of the company had to transfer U.K. customer information to the U.S. parent company, Equifax Inc.
Regulators apply pressure on Equifax
The U.K.'s Financial Conduct Authority (FCA) and Information Commissioners' Office (ICO) are working together to investigate the breach, and have already raised concerns over how Equifax handled the discovery of the breach and the delay in warning authorities and consumers. Astonishingly, the U.K. regulators were only made aware of the breach via the media on 8th September 2017 because Equifax failed to warn them.
It's further understood that Equifax set up a bespoke "breach notification" website for customers to check if they were affected. However, internet security software deemed the site to be a potential "phishing site", creating further confusion and concern for victims involved.
But things got worse...
The site set up by Equifax, named "equifaxsecurity2017.com", was deemed by cybersecurity experts to be a risky move, and to prove a point, a researcher set up a website with a similar domain, named "securityequifax2017.com". His point was catastrophically proven when even the official Twitter account for Equifax inadvertently linked people to the wrong site; i.e. the dummy site set up by the researcher, resulting in further backlash from angered victims.
To press home the point, the fake webpage headline stated:
"Cybersecurity Incident & Important Consumer Information which is Totally Fake, why did Equifax use a domain that's so easily impersonated by phishing sites?"
With Equifax already acknowledging that the biggest risk to victims is phishing scams, the creation of the website has been heavily criticised. Their eventual move to notifying victims by post welcomed by regulators in efforts to prevent people falling victim to electronic phishing scams arising from the breach.
We're taking cases on!
Our team has received a number of enquiries from people affected by the Equifax Data Breach. We've already taken cases on, and if you've been affected by the Equifax hack, contact us today for help and advice.
We're aware that Equifax are offering a "free comprehensive ID protection service" to some victims, which we find is a standard offer nowadays off the back of major breaches. You may be entitled to financial compensation as a victim of the Equifax breach as well, especially if you've been targeted by fraudsters.
Our team are incredibly worried about the phishing scams and fraudulent activity that typically follows a breach of this nature. A number of TalkTalk hack victims were contacted by scammers who had enough information about their accounts to convince them they were calling from TalkTalk, and thousands of pounds were consequently stolen.
Can you claim?
Equifax acknowledge that many victims risk "unwanted cold calling" like we saw after the TalkTalk hack. Whist they say that any complaints will be "investigated fairly and promptly" with the aim to provide fair treatment to victims involved, we understand they're not looking at compensation for victims.
This is usual, and that's where we come in.
We're investigating the hack and we believe there is a case to answer for. Equifax have clearly failed to secure sensitive information, and we'll be taking issue with the data of U.K. victims being moved abroad.
We've already accepted cases and we may be able to help you too. Our team have years of experience at the forefront of data protection compensation, having helped victims of the infamous 56 Dean Street clinic leak as well as helping victims of well-known hacks similar to the Equifax Breach, such as the TalkTalk hack and the Three hack.
For help and advice, please contact our team on 0800 634 75 75 or by using the form below.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with a * are required.
Latest Blogs from The Data Leak Lawyers
The Butlins data breach incident was one of many that hit the UK in 2018. As holidays are getting booked up in the post-Chris...Jan 18, 2019
The York Council app that was hacked late last year has reportedly been shut down as a result of the data breach incident. ...Jan 17, 2019
If you've been victim of a Suffolk Council data breach, we may be able to help you; and you're not alone either! Recent da...Jan 16, 2019
The Marriott data breach UK action for compensation may grow as revelations about unencrypted passport numbers being exposed ...Jan 15, 2019
The No Win, No Fee Equifax data breach compensation action we launched in 2017 is still going strong, and we're still accepti...Jan 14, 2019
The incredibly serious Wokingham Council data breach that came to light in the last few weeks was a severe example of how bad...Jan 11, 2019
The Chelmsford City Council data breach was another preventable incident of information exposure by a local authority that ha...Jan 10, 2019