Credit monitoring and reporting agency Equifax has had to backtrack on claims that only 400,000 UK customers were affected by a recent data breach by its US arm, upping the total affected to a whopping 15.2 million UK consumers.
When Equifax US reported a serious data breach in early September, it was bad news for the company's US user base - and those on whom it holds data without any direct interaction - with 143 million individuals affected. Equifax UK, though, claimed things were significantly rosier for UK consumers: Although 400,000 accounts were incorrectly shared with the US arm in 2016, the company claimed, the remainder of the data held was safe as the two companies run 'systems and platforms [which] are entirely separated'.
Sadly, that separation turns out to have been significantly overstated. In an updated statement published yesterday, Equifax UK has admitted that a total of 15.2 million UK records dating between 2011 and 2016 were leaked during the breach - something of a major upgrade from the 400,000 it had originally claimed to be affected.
Equifax UK claims that of those 15.2 million records, around 700,000 contained telephone numbers, 29,188 driving licence numbers, 12,086 email addresses, and 14,961 other account details including but no limited to username and password, secret questions and answers, and partial credit card details. These customers will be alerted by post, the company has confirmed, while the 14.5 million remaining leaked records contained only names and dates of birth - data Equifax UK claims is not enough to put those affected at risk of fraud and therefore not worthy of a letter-writing campaign to alert those included in the breach of the issue.
'Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act. Let me take this opportunity to emphasise that protecting the data of our consumers and clients is always our top priority,' claims Patricio Remon, Equifax UK's president for Europe. 'It has been regrettable that we have not been able to contact consumers who may have been impacted until now, but it would not have been appropriate for us to do so until the full facts of this complex attack were known, and the full forensics investigation was completed. I urge anyone who receives a letter from Equifax to take advantage of the remedial services being offered to help mitigate against any risk, or to contact us should you have any questions.'
The data breach itself was discovered in July this year, but the announcement left until September - during which period three of the company's executives sold off stock totalling $1.8 million.