September 18, 2017 // 11 a.m.
Equifax Ltd. (UK), the local arm of global credit reporting giant Equifax, has weighed in on the recent data breach and the news isn't good: While its systems are reportedly unaffected, a five-year-long data handling gaffe has exposed around 400,000 UK consumers' personal data regardless.
Equifax reported on the breach earlier this month, warning that personal data on 143 million North American consumers - including US Social Security and driving licence numbers along with 209,000 credit card numbers - had been accessed by attackers unknown. The company discovered the attack in July but waited until September 8th to warn customers - while three top executives inexplicably sold off nearly $1.8 million in Equifax shares post-discovery but prior to the announcement which saw a chunk taken off the value of Equifax's shares.
While the company's US arm has announced the sudden 'retirement' of chief security officer Susan Mauldin and chief information officer David Webb - neither of whom are implicated in the share sell-off - it's an announcement from the company's UK arm which will be of most interest to consumers located within these green and sceptred isles: The personal data of around 400,000 UK consumers were included in the US breach.
'As part of its investigation, Equifax has now identified unauthorised access to limited personal information for certain UK consumers,' the company's UK arm warns in a statement issued over the weekend. 'Equifax Ltd. (UK) can now confirm that UK systems are not affected. Equifax Ltd. and TDX Group systems and platforms are entirely separated from those impacted by the Equifax Inc. cybersecurity incident.
'Regrettably the investigation shows that a file containing UK consumer information may potentially have been accessed. This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016. [...] Having concluded the initial assessment Equifax has established that it is likely to need to contact fewer than 400,000 UK consumers in order to offer them appropriate advice and a range of services to help safeguard and reassure them.'
The details on those 400,000 consumers - who will not have needed to use Equifax's services directly to be affected, given the company's role as credit monitor - are thankfully limited compared to those lost by those in the US: 'The information was restricted to: Name, date of birth, email address and a telephone number,' the company claims, 'and Equifax can confirm that the data does not include any residential address information, password information or financial data. Due to the nature of the information Equifax believes identity takeover is unlikely for the UK consumers who had their data potentially accessed in this incident.'
Investigations into the source of the breach, which has been blamed on a flaw in the company's server software which was made public and for which a patch was released a month prior to the breach, continue.