Cybersecurity incident - UK update
In early September 2017, our US parent company announced it had been the victim of a criminal cyberattack back in May. Although our UK business was not breached, the attack compromised the personal information of some UK consumers.
A file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. This file contained duplicates and spurious fields as well as sizeable test datasets. It also contained data relating to actual consumers.
Equifax brought to bear every analytical tool, technique and data asset it has available in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them.
This time-consuming and technically difficult analysis established that Equifax UK will need to contact 693,665 consumers by mail to offer them appropriate ID protection services. The information we were able to piece together about what was hacked allowed us to place these consumers into specific risk categories and define which services to offer them in order to protect against those risks.
We have written to – or are in the process of writing to - all these consumers to offer them Equifax and third-party safeguards and instructions on how to get started.
How much information has been stolen?
12,086 people have had the email address associated with their Equifax account in 2014 accessed. 14,961 people have had their Equifax membership details from 2014 accessed – this is likely to include username, password, secret questions and answers, and partial credit card details. There are also 29,188 consumers who had their name and driving license number accessed.
The rest - 637,430 - had their name and a phone number accessed.
Am I at risk of fraud?
If you receive a letter from Equifax, you may be at risk of fraud. Our priority is to ensure all affected consumers receive the advice and protection they need to safeguard themselves.
Consumers who receive a letter from Equifax and who wish to take-up one of the ID protection services on offer or who have any further questions will be given options to contact us via the web or via a dedicated telephone line.
These services are free to use, simple to sign up for and will provide immediate protection. Consumers should note that Equifax correspondence will never ask them for money or cite any personal details, and if they receive such correspondence, they should not respond. We will also not be making any outbound telephone calls to consumers for security reasons.
What happens next?
For practical reasons, it will take us a little time to post letters to all 693,665 consumers but the correspondence is in process.
This letter is bespoke to each consumer group and details precisely what data has been compromised and what free services are available to help them protect their identity in light of this breach. This includes access to credit information and alerts to any potential signs of fraudulent activity. The services incorporate web and social media monitoring, and alerts to any publically-available information about them. Equifax will also provide links to services provided by other UK regulated organisations which these consumers may prefer to take-up in addition to - or instead of - the free services provided by Equifax.