In early September 2017, Equifax Inc., its US parent company, announced it had been the victim of a criminal cyber-attack in May 2017. Although its UK business was not breached, the attack regrettably compromised the personal information of a range of UK consumers.
Equifax apologised unreservedly for any risks to consumers arising as a result of this criminal hack. The company will continue to work closely with law enforcement and other agencies as well as leading external advisers to learn lessons for the future.
It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of them to do so before they had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.
The company wants to emphasise that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, they will not be making any outbound telephone calls to consumers.
Equifax confirmed that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields. Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them. This complete, they have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled them to confirm that they will need to contact 693,665 consumers by post. The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax has apologised that this data may have been accessed.
Equifax takes this illegal and unprecedented breach of consumers’ data extremely seriously and has begun writing to the groups of consumers outlined below to notify them of the nature of the breach and offer them appropriate advice. For each group of consumers, Equifax is offering several Equifax and third party risk mitigation products for free to reassure consumers and minimise any risk of possible criminal activity.
Equifax Inc. announced on October 2, 2017 that its third party cybersecurity expert had concluded its forensics investigation. Their analysis of all potentially affected data relating to UK subjects is now complete and there are four groups of consumers to whom Equifax will be writing to offer the following safeguards and support:
| Consumer groups | Remedial action |
|---|---|
| 12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed
14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details – from 2014 accessed
29,188 consumers who had their driving licence number accessed |
Will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organisations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence. |
| 637,430 consumers who had their phone numbers accessed | Consumers who had a phone number accessed will be offered a leading identity monitoring service for free. |
Consumers who receive a letter from Equifax and who wish to take-up one of the ID protection services on offer, who have any further questions, or who are concerned will be able to contact them via the web or via a dedicated telephone line seven days a week. These services are free to use, simple to sign up for and will provide immediate protection.
Patricio Remon, President for Europe at Equifax Ltd (UK), said, “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
I urge anyone who receives a letter from Equifax to take advantage of the remedial services being offered to help mitigate against any risk, or to contact us should you have any questions.”