Cybersecurity incident - information for UK consumers

On 10 February 2020, the U.S. Department of Justice issued a statement concerning the indictment of individuals in connection with the theft of consumer data held by Equifax in 2017.  While the statement concerned US proceedings, the incident also involved approximately 15.2 million UK consumer records stored in the US, as previously advised on 10 October 2017.

Following further analysis by Equifax Ltd, we found that these records included personal data, comprising name and date of birth, relating to approximately 12.3 million individuals. In addition, for a smaller group of UK consumers the records included additional personal data such as driving licence and telephone numbers.  Following the announcement on 10 October 2017, Equifax Ltd offered this group of approximately 841,000 UK consumers identity protection products and services.

No UK servers or systems were affected during this incident and there has been no evidence of criminal use of the data. Any consumer who has questions or concerns can call our dedicated Freephone number on 0800 587 1584.

Press Release 20/09/2018: Please click here for the Equifax response to the ICO’s press release and Monetary Penalty Notice.

In early September 2017, Equifax Ltd.’s US parent company announced it had been the victim of a criminal cyberattack. Although UK systems were not breached, the attack compromised the personal information of some UK consumers.  The information below is designed to answer any questions you may have about the incident and how it impacts you if you are one of those affected.

If you have received a letter from Equifax and would like to sign-up for your free Equifax Protect service please click here. If you would like to sign up for any other service please call the free helpline in your letter, 0800 587 1584, and quote the unique reference number in your letter.

Video

Janice Rudd, Operations Director at Equifax talks about the cyber-security incident which the company faced last year, how it is helping impacted consumers and what to do if you have received a letter.

Contents

  1. Background to the cybersecurity incident
  2. About Equifax
  3. Our commitment to consumers
  4. Frequently Asked Questions (including information of free services)
  5. Additional contacts

1. Background to the cybersecurity incident

INCIDENT UPDATE – 18/01/18

In early September 2017, Equifax Ltd.’s US parent company announced it had been the victim of a criminal cyberattack. Although UK systems were not breached, the attack compromised the personal information of some UK consumers.

A file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. As well as featuring some information about actual consumers, this file also contained duplicates and data for testing purposes. Equifax has used all available resources to identify the actual consumers impacted and their current home address. After a period of time-consuming and technically difficult analysis, Equifax was able to piece together information which allowed it to place these consumers into specific risk categories.

On 10th October 2017, Equifax Ltd. announced that it would be writing to 693,665 UK consumers whose information was included in the files that were attacked. This process has now been completed and we encourage anyone who has received a letter from us to call the Freephone number 0800 587 1584.

These consumers were categorised into four risk groups; (1) consumers who had an email address associated with their equifax.co.uk account accessed, (2) consumers who had portions of their equifax.co.uk membership details accessed – such as username, password, secret questions and answers and partial credit card details, (3) consumers who had their driving licence number accessed and (4) consumers who had their phone number accessed.

Everyone in categories 1-3 will also receive a follow-up letter during this time. We encourage consumers in category 4 who have received a letter but have not yet been in touch to contact us on our Freephone number 0800 587 1584 or to sign up directly for Equifax Protect click here. Information on the Telephone Preference Service is also provided in the FAQ section below.

In addition, we have now taken the decision to write to a further 167,431 UK consumers from this file whose landline telephone numbers are already published in the public Phone Book but were accessed as part of the cyberattack. These letters will be issued by the end of January.

We are offering this group the same free ID protection services as outlined in the initial consumer letters. In addition, our Freephone number, 0800 587 1584, will remain open to help consumers access these safeguards quickly and simply. So that they can further protect their personal information, the letter they receive will also provide details of how they can delist their telephone number from the Phone Book, should they wish.

2. About Equifax

We are a Credit Reference Agency (CRA) that is authorised and regulated by the Financial Conduct Authority in the UK. Credit referencing enables lenders to make instant decisions when you apply for credit. It's a process that involves both lenders and credit reference agencies like Equifax. Working together, they share financial information about an individual to help assess their credit history and judge their ability to repay future credit. This information is then kept up-to-date through regular updates by the financial companies to the credit reference agencies.

Lenders will contact us to find out how much credit you have borrowed and what your repayment history has been like. Public information like electoral register data and whether you have any court actions for debt will also be shared. Lenders will then use this data to make a quick, informed decision when credit is applied for.

Your credit report and score will influence the financial products you’ll be accepted for. In simple terms, if a lender views you as being more likely to repay, and less likely to default on a payment, they’ll be happier to offer you a lower interest rate. This also helps to promote a culture of responsible lending and protect you from over extending yourself financially.

Verifying data like identity, age and residence, and preventing and detecting criminal activity, fraud and money laundering

The CRAs also use data to provide verification and crime prevention and detection services to their clients, as well as fraud and anti-money-laundering services. For example:

  • When you apply to an organisation for a product or service the organisation might ask you to answer questions, and then check the answers against the data held by a CRA such as your phone number, date of birth or driving licence number. This helps confirm the person they are dealing with is actually you and not someone attempting to commit identity theft or any other kind of fraud in your name.
  • If you apply for credit the lender or creditor might check the historic fraud data held by CRAs to try to prevent fraud.

3. Our commitment to consumers

Our priority is to write to those consumers in the four risk categories we identified so that we can offer them the advice and protection they need to safeguard their personal information.

If you have received a letter it will outline possible fraud risks you may face and what your options are to protect yourself.  We also provide a range of free services that we are offering to help protect you against the risk of ID theft. These services monitor your personal data and provide alerts by email or SMS message to potential signs of fraudulent activity. We also provide links to services provided by other UK regulated organisations which you may prefer to take-up in addition to, or instead of, the free services provided by us.

4. Frequently Asked Questions

What should I do if I receive a letter?

If you receive a letter from us and wish to take-up one of the free ID protection services on offer or have any further questions you can call us on our Freephone number, 0800 587 1584. If you would like to sign up to Equifax Protect you can do so by clicking here and entering the reference number printed on the top left of your letter.

I am suspicious of a letter I have received that appears to be from Equifax - what should I do?

If you have received a letter from Equifax it will have a unique reference number on the top left of the letter.  If you would like to sign-up for your free Equifax Protect service please click here. If you would like to sign up for any other service or have any questions about the letter, please call the free helpline in your letter.  Please be aware that Equifax correspondence on this issue will never ask you for money or personal information. For security reasons we will also not contact you about the cybersecurity incident by email or phone.

What is the difference between Equifax Protect and Equifax WebDefend?

Equifax Protect is a free service that provides credit and personal data monitoring and Equifax WebDefend is included as part of this service. For more information see below; 

Equifax Protect

Equifax Protect is an identity protection service that monitors your personal data, including your credit information, and alerts you by email or SMS message to potential signs of fraudulent activity. We can provide this for 12 months. If you want it for longer it will automatically extend for another 12 months free of charge.

If you have received a letter you can activate this service by using the reference code in the letter and by clicking here. It will help you track when and where your data is being used so you can identify any unauthorised activity. It consists of:

  • Equifax WebDefend as detailed below;
  • Regular email or SMS alerts notifying you of any significant changes to your Equifax Credit Report. This will help you identify any fraudulent activity early on.
  • Unlimited access to your Equifax Credit Report that allows you to check that the information held on your credit report is correct.

Equifax WebDefend

If you do not wish to take Equifax Protect then you can still take Equifax WebDefend.  The only information you need to provide to sign up for this service is your name, gender and email address.  This service includes

  • Monitoring of websites used by fraudsters to trade personal information
  • Alerts if your information is found to be at risk
  • You can set up alerts for the following:
    • Driving licence number
    • 6 different telephone numbers
    • 6 different email addresses
    • 12 Credit / Debit cards
    • 6 Bank Accounts
    • National Insurance

Cifas Protective Registration

Cifas Protective Registration is a service that reduces the risk of identity fraud. It is provided by a separate organisation called Cifas, which is the UK’s leading fraud protection service.

On registration, your details will be added to the National Fraud Database, which will mean that applying for products and services may take longer than usual because organisations will take further steps to verify your identity.

Equifax can apply for this service on your behalf and we will cover the cost of this service for one year. The service takes around 10 minutes to set up via phone, and we will need to provide Cifas with your name, gender, date of birth, current address, contact telephone number and email address. Call us on Freephone 0800 587 1584.

You can find more information on this service at https://www.cifas.org.uk/services/identity-protection/protective-registration

I have received a letter for a person who's no longer living in the address - what should I do?

Please return the letter unopened to us with a note indicating that the individual is not known at the address. Equifax can't discuss information held in a person's name with a third party and we are unable to confirm or discuss any information that may be held at the address in that person's name.

Why did it take you so long to contact me about this?

As soon as we discovered the unauthorised access, we acted immediately to stop the intrusion. We promptly engaged a leading, independent cybersecurity firm which conducted a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.

Because this incident involved a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to identify those consumers impacted, we took appropriate steps to do so. We also reported the criminal access to law enforcement, and we continue to work with the relevant authorities.

How and why did you have my personal information?

As an FCA regulated Credit Reference Agency, Equifax helps to manage the financial data that forms an individual’s credit score. Lenders will contact Equifax to find out how much credit you have borrowed and what your repayment history has been like. Public information like electoral register data and whether you have any court actions for debt will also be shared. Lenders will then use this data to make a quick, informed decision when credit is applied for.

This information is passed to Credit Reference Agencies either based on the notifications given to consumers at the time the information is collected, or according to the rules under which information collected by public sector bodies is shared.

This information is then used to help organisations manage their relationships with consumers, including: identifying them correctly; preventing fraud; making better lending and credit decisions; and collecting debts. Without the help of credit referencing agencies it would be impossible to get a mortgage, a mobile phone contract, a car loan, or insurance policies of any kind.

If I sign up with you how do I know my information will be secure?

We want to assure you that at Equifax we take our responsibility to protect personal data very seriously. Following this incident the UK business is conducting a thorough review of its security operations.

However, we understand that you may not feel comfortable using our service now. There are other providers that can provide your credit report and score free of charge, including Noddle www.noddle.co.uk who are part of CallCredit and Clearscore www.clearscore.com who use Equifax data.

What to do if your question isn’t answered here

If the question you have is not answered here, then you can raise a query or complaint by clicking here.  Alternatively you can call our call centre on 0800 5871584. We are open 8am – 8pm daily.

5. Additional contacts

There are several independent websites providing useful information on how to identify if fraud has taken place and actions you can take to protect yourself.

The ICO (Information Commissioners Office) www.ico.org.uk/for-the-public/identity-theft
Action Fraud www.actionfraud.police.uk
UK Finance www.financialfraudaction.org.uk/consumer
CardWatch www.cardwatch.org.uk
National Crime Agency www.nationalcrimeagency.gov.uk/crime-threats/cyber-crime/online-threats-to-consumers
TPS (Telephone Preference Service) www.tpsonline.org.uk/tps/index.html

 

The Telephone Preference Service is a free service that manages the official central opt out register where you can record your preference not to receive unsolicited calls. Their website provides more information about this service. Alternatively you can contact your telephone provider and ask them to remove your landline telephone from the Phone Book. This is known as becoming “ex-directory” and limits the likelihood that you will be contacted by cold callers or telemarketing companies.