Equifax: Umm, actually hackers stole records of 15.2 million Brits, not 400,000

Nearly 700,000 of them can expect a letter in the mail soon…

David bisson
David Bisson
@
@DMBisson

Equifax: Umm, actually hackers stole records of 15.2 million Brits, not 400,000

Equifax has confirmed that a recent data breach exposed a file containing 15.2 million UK personal information records.

On 10 October 2017, the National Cyber Security Centre (NCSC) confirmed the Equifax data breach disclosed in September 2017 actually compromised 15.2 million UK records.

That’s considerably more than 400,000, the number of consumers living in the United Kingdom which Equifax originally thought had been affected by the security incident.

Sign up to our free newsletter.
Security news, advice, and tips.

The credit bureau has confirmed the NCSC’s findings and revealed some additional details regarding the exposure. As quoted in a statement posted to its website:

“Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields. Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them. This complete, we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post. Details are set out in the box below. The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.”

Screen shot 2017 10 11 at 8.40.49 am
Breakdown of UK consumers affected by the Equifax data breach. (Source: Equifax)

Equifax said that it had not yet started notifying the affected UK consumers because it did not think it was “appropriate” as it was waiting until “the full forensics investigation was completed.” Given the mess Equifax has made in its attempts to respond to this breach, you would think the credit bureau would be itching to repair its reputation in the eyes of consumers everywhere.

Honestly, I’m not sure that reasoning does the trick.

While Equifax works to get its act together, UK citizens IN GENERAL should be wary of phishing messages and fraudulent calls that might try to leverage their data stored with Equifax to steal even more of their personal information.

Find out more about Equifax’s shambolic approach to its data breach, in this edition of the “Smashing Security” podcast:

Smashing Security #042: 'Equifax, BlueBorne, and the iPhone X'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

6 comments on “Equifax: Umm, actually hackers stole records of 15.2 million Brits, not 400,000”

  1. Matthew Parkes

    Why would anyone put their trust in Equifax to provide identity or fraud prevention/monitoring services it doesn't make sense, also consumers who have only had name and date of birth stolen are not at high risk? Isn't this all you would need to initiate the process of stealing someone's identity via bank accounts or other financial accounts?

    Surely the information that would be requested by Equifax to put in place monitoring or blocking scheme's is exactly what has been stolen so they have no way of confirming the identity of the individuals who may contact them to either put in place or remove such features. For example if the consumer puts a freeze on their credit file (not a lock provided by Equifax) to try and mitigate any unauthorised use, then the crooks who access this information can just as easily remove the freeze.

    Absolutely pointless.

  2. Mike

    This was my suspicion from the beginning. In fact I bored people with my theory. It seemed obvious and now it is apparent.

  3. George

    Surely Equifax needs to write to ALL 15.2 million confirming that their data was or was not disclosed?

    NOT receiving a letter doesn't provide any reassurance – despite the best efforts of the postal service some fail to arrive and, if not, anyone concerned should then contact Equifax to find out how they stand! ….. hmmmm…. perhaps everyone in the UK should be sent a letter?

  4. George

    Better yet…. Equifax should send the letters by recorded delivery to confirm that they have been received and follow up on non-deliveries!

  5. M Sirell

    This story is wrong. There were 15.2m records in a file but that only pertained to 600,000 UK citizens (duplicates, test data, yadda yadda.) Keep up!

    https://www.equifax.co.uk/about-equifax/press-releases/en_gb/-/blogs/equifax-ltd-uk-update-regarding-the-ongoing-investigation-into-us-cyber-security-incident

    (via El Reg, https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/ )

  6. George

    Sorry but you are wrong!!
    There MAY be SOME duplicate records BUT Equifax maintains data on MILLIONS of UK residents WHETHER OR NOT they subscribe to Equifax's services. That data comprises information used by hundreds, probably thousands, of commercial businesses that use Equifax when checking the credit worthiness of their potential customers.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.