Brian Jackson - Fotolia

Heads roll as Equifax reveals 400,000 Britons affected by breach

Equifax replaces two senior staff members as it reveals how many Britons were hit by a massive data breach that affected millions of consumers

Financial services firm Equifax has revealed that around 400,000 UK consumers were affected by the data breach earlier this year alongside more than 140 million US and Canadian consumers.

The company said Equifax UK systems were not affected by the breach, but a file containing UK consumer information may have potentially been accessed.

This was due to a “process failure”, corrected in 2016, which the company said led to a limited amount of UK data being stored in the US between 2011 and 2016.

The information was restricted to: name, date of birth, email address and a telephone number. “Equifax can confirm that the data does not include any residential address information, password information or financial data,” the company said.

After an “initial assessment”, Equifax has established that it is likely to need to contact fewer than 400,000 UK consumers to offer them appropriate advice and a range of services to help safeguard and reassure them, the statement said.

Equifax said although identity takeover is unlikely for the UK consumers who had their data potentially accessed in this incident, the company would be contacting affected consumers in writing to offer them a free comprehensive identity protection service.

“We apologise for this failure to protect UK consumer data. Our immediate focus is to support those affected by this incident and to ensure we make all of the necessary improvements and investments to strengthen our security and processes going forward,” said Patricio Remon, president at Equifax.

Equifax said it is in dialogue with the UK’s Financial Conduct Authority (FCA) and Information Commissioner’s Office (ICO).

The ICO has been pressing Equifax to reveal the impact of the breach on UK citizens. At the weekend, the ICO said it had been engaging with relevant US and UK agencies about the nature of the data breach.

The ICO said members of the public should remain vigilant of any unsolicited emails, texts or calls, even if it appears to be from a company they are familiar with.

“We also advise that people review their financial statements regularly for any unfamiliar activity,” the ICO said in a statement.

“If any financial details appear to have been compromised, victims should immediately notify their bank or card company. If anyone thinks they may have been a victim of a cyber crime they should contact Action Fraud,” the ICO said.

Equifax looks into vulnerabilities

Although the breach is believed to have taken place between 13 May and 30 July 2017, Equifax reported the breach only last week.

At the weekend, the company announced that the chief information officer Susan Mauldin and chief security officer David Webb were “retiring” and that Mark Rohrwasser and Russ Ayres would take over the roles with immediate effect.   

According to the company’s latest statement, Equifax’s security team observed suspicious network traffic associated with its US online dispute portal web application on July 29, 2017.

In response, the security team investigated and blocked the suspicious traffic that was identified and continued to monitor network traffic.

On 30 July 2017, the company took offline a web application associated with further suspicious activity.

The company then identified a vulnerability in the Apache Struts web application framework as the initial attack vector and patched the affected web application before bringing it back online.

According to the company statement, it was aware of the vulnerability before the breach and it claims to have taken steps to identify and to patch any vulnerable systems in the company’s IT infrastructure.

“While Equifax fully understands the intense focus on patching efforts, the company’s review of the facts is still ongoing. The company will release additional information when available,” the statement said.

Ongoing investigation with FBI

Following a forensic investigation by cyber security firm, Mandiant, the company announced that the breach was believed to have exposed the names, social security numbers, birth data, addresses and in some cases, driver’s license numbers of 143 million US consumers.

In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.

Equifax said it has taken short-term remediation steps, and continues to implement and accelerate long-term security improvements.

The company said its internal investigation is still ongoing and the company continues to work closely with the FBI in its investigation.

Equifax holds data on more than 820 million consumers and 91 million businesses, and its share price has fallen by more than a third since it announced the breach on 7 September, according to Reuters.

In a letter to Equifax, US senator Elizabeth Warren said the company had failed to provide the necessary information describing exactly how this happened, and exactly how the security systems failed.

“Equifax’s initial efforts to provide consumers information did nothing to clarify the situation and actually appeared to be efforts to hoodwink them into waiving important legal rights,” she wrote

Equifax chief executive Richard Smith has apologised for the breach and will testify at a House Energy and Commerce Committee hearing in the US Congress on 3 October, according to the BBC.

Read more about the Equifax breach

  • Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems
  • Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
  • While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.

Read more on Privacy and data protection