leowolfert - Fotolia
According to Equifax, a cyber breach at the firm between mid-May and July affected around 145.5 million US consumers, 2.5 million more than it said when it first reported the breach in early September.
The breach has been blamed on a failure to patch all Equifax IT systems to prevent hackers from taking advantage of a vulnerability in the Apache Struts web application framework.
The exposed US consumer data reportedly included names, social security numbers, dates of birth, addresses, credit card numbers and other information.
Equifax also initially said around 400,000 consumers in the UK and 100,000 in Canada may also have been affected, but the firm later increased the UK figure to 694,000 and decreased the Canadian estimate to 8,000.
The UK data was restricted to name, date of birth, email address and a telephone number, but did not include any residential address information, password information or financial data, said Equifax.
In total, Equifax said that 15.2 million UK records dating from between 2011 and 2016 were compromised, but 14.5 million of the potentially compromised records contained only the name and date of birth of certain UK consumers and “does not introduce any significant risk” to these people.
The FCA published a statement announcing that it was investigating the circumstances surrounding the data breach, but provided no further details.
Four consumer groups affected by breach
According to Equifax, analysis of all potentially affected data relating to UK subjects shows there are four groups of consumers affected.
Equifax said 12,086 UK consumers had an email address associated with their Equifax.co.uk account in 2014 accessed, while 14,961 had portions of their Equifax.co.uk membership details – such as username, password, secret questions and answers and partial credit card details – from 2014 accessed, and 29,188 had their driving licence number accessed.
For these three groups, Equifax is offering the Equifax Protect identity protection service and services from third party organisations at no cost.
The fourth group is made up of 637,430 consumers who had their phone numbers accessed, and to this group, Equifax is offering “a leading identity monitoring service” free of charge. UK consumers have been advised to call Equifax for more information on 0800 587 1584.
Read more about the Equifax breach
- Heads roll as Equifax reveals 400,000 Britons affected by breach.
- Equifax appears to have failed to roll out a patch that might have stopped the massive breach of its systems.
- Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.
- While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify consumers of a problem much sooner.
Patricio Remon, president for Europe at Equifax Ltd (UK) issued an apology to anyone who has been concerned about or affected by this “criminal act”.
“Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority,” he said.
“It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
“I urge anyone who receives a letter from Equifax to take advantage of the remedial services being offered to help mitigate against any risk, or to contact us should you have any questions,” he said in a statement.
Responding to the FCA announcement, Equifax said the company is already working closely with the FCA and other authorities.
“We welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future.
"Cyber crime is a real and ever-present risk faced by all companies, so it is important that government, regulators and businesses work together to combat this growing threat. We see today’s announcement as a continuation of that process,” the company said
Equifax has been criticised for failing to protect personal data and not notifying affected consumers until September, more than a month after halting the attack.
Just over week after the breach was made public, Equifax announced that chief information officer Susan Mauldin and chief security officer David Webb were “retiring” and, less than two weeks later, Richard Smith said he was stepping down as CEO.