Equifax Ltd (UK): UPDATE REGARDING THE ONGOING INVESTIGATION INTO US CYBER SECURITY INCIDENT
In early September 2017, Equifax Inc., our US parent company, announced it had been the victim of a criminal cyber-attack in May 2017. Although our UK business was not breached, the attack regrettably compromised the personal information of a range of UK consumers.
Equifax apologises unreservedly for any risks to consumers arising as a result of this criminal hack. We continue to work closely with law enforcement and other agencies as well as leading external advisers to learn lessons for the future.
It has always been Equifax’s intention to write to those consumers whose information had been illegally compromised, but it would have been inappropriate and irresponsible of us to do so before we had absolute clarity on what data had been accessed. Following the completion of an independent investigation into the attack, and with agreement from appropriate investigatory authorities, Equifax has begun corresponding with affected consumers.
We would like to take this opportunity to emphasise that Equifax correspondence will never ask consumers for money or cite personal details to seek financial information, and if they receive such correspondence they should not respond. For security reasons, we will not be making any outbound telephone calls to consumers. However, customers can call our Freephone number on 0800 587 1584 for more information.
Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields. Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them. This complete, we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post. Details are set out in the box below. The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.
Equifax takes this illegal and unprecedented breach of consumers’ data extremely seriously and has begun writing to the groups of consumers outlined below to notify them of the nature of the breach and offer them appropriate advice. For each group of consumers, Equifax is offering several Equifax and third party risk mitigation products for free to reassure consumers and minimise any risk of possible criminal activity.
Equifax Inc. announced on October 2, 2017 that its third party cybersecurity expert had concluded its forensics investigation. Our analysis of all potentially affected data relating to UK subjects is now complete and there are four groups of consumers to whom Equifax will be writing to offer the following safeguards and support:
|Consumer groups||Remedial action|
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed
14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed
29,188 consumers who had their driving licence number accessed
We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organisations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.
637,430 consumers who had their phone numbers accessed
Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.
Consumers who receive a letter from Equifax and who wish to take-up one of the ID protection services on offer, who have any further questions, or who are concerned will be able to contact us via the web or via a dedicated telephone line seven days a week. These services are free to use, simple to sign up for and will provide immediate protection.
Patricio Remon, President for Europe at Equifax Ltd (UK), said, “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
I urge anyone who receives a letter from Equifax to take advantage of the remedial services being offered to help mitigate against any risk, or to contact us should you have any questions.”
For all media enquiries please contact Portland Communications on 0207 554 1856 or firstname.lastname@example.org