UPDATE: Following Equifax’s announcement that 700,000 UK accounts had been compromised by the data breach last Spring, Nicky Morgan, chair of the Treasury Commitee, has written to Patricio Remon, president for Europe at Equifax, asking for clarifications on the incident.
In the letter, Morgan asked Equifax to explain how data on UK citizens found its way to US servers subsequently compromised, as well as why the original estimate of affected individuals from last month was so much lower.
The committee also sought confirmation on whether there would be any kind of compensation to customers in case of identity fraud.
In a separate letter, Morgan contacted the Financial Conduct Authority (FCA) asking how it was treating the incident, and whether it intended to set up a consumer redress scheme for compensation.
Morgan said: “Equifax has taken too long to notify those affected by its widespread cyber-security breach. People have been left in the dark for too long, which has increased the risk that they fall victim to identity theft and fraud.
“It is particularly concerning that the breach occurred in a business that sells identity protection services, and is looking to take advantage of the commercial opportunities afforded by data sharing initiatives, such as Open Banking.
“Mr Remon has said that the immediate focus of Equifax is to ‘support those affected by this incident’. The Treasury Committee will hold him to these words, and will consider taking public evidence from Equifax, particularly if it does not receive a full and timely response to these questions.”
The committee has given Equifax until October 24 to address its questions.
ORIGINAL STORY: The number of Equifax customers in the UK whose records were been affected by the hack last spring has been revised up to 700,000, the company has said.
In September, Equifax revealed it had been the victim of one of the largest data breaches in US history, with more than 143m records compromised. The number of UK customers was been initially put at 400,000.
In an update, however, Equifax UK has said that “a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident”.
For 12,000 customers, the information which was breached was an email address associated with an Equifax account since 2014; for 15,000, it was login details and partial credit card details, again going back to 2014; for 29,188, it was a driving license number; and for over 637,000, it was a phone number.
Equifax UK said will contact the affected 700,000 customers by post. The first three categories will be offered Equifax’s own Protect service against identity fraud, as well as third-party products, all free of charge.
Customers’ whose only affected data was a phone number, meanwhile, will be referred to an unspecified “leading identity monitoring service”, again at no cost.
Patricio Remon, president for Europe at Equifax, said: “Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority.
“It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed.
“I urge anyone who receives a letter from Equifax to take advantage of the remedial services being offered to help mitigate against any risk, or to contact us should you have any questions.”