For the second time since it fessed up to suffering a data breach last month, Equifax has issued a correction, acknowledging today in a press release that hackers stole details on over 15.2 million UK citizens.
In its original statement, last month, the company said that only 400,000 UK citizens were affected. The company says the cyber-security firm it brought in to investigate the breach found evidence that hackers got their hands on more data than initially believed. The stolen files contained records the company created between 2011 and 2016.
Equifax says that for approximately 14.5 million of the 15.2 million affected, the stolen records contained only a small amount of information, limited to name and dates of birth.
Exhaustive personal details were included for 693,665 records that hackers managed to steal. Equifax says it already started notifying these customers by post mail. The table below lists the personal details exposed for the set of 693,665 records.
|Consumer groups||Remedial action|
12,086 consumers who had an email address associated with their Equifax.co.uk account in 2014 accessed
14,961 consumers who had portions of their Equifax.co.uk membership details such as username, password, secret questions and answers and partial credit card details - from 2014 accessed
29,188 consumers who had their driving licence number accessed
We will offer Equifax Protect for free. This is an identity protection service which monitors personal data. Products and services from third party organisations will also be offered at no cost to consumers. In addition to the services set-out above, further information will be outlined in the correspondence.
637,430 consumers who had their phone numbers accessed
Consumers who had a phone number accessed will be offered a leading identity monitoring service for free.
The UK National Cyber Security Centre also issued a statement today, with recommendations for affected customers, informing them of the dangers of phishing and online fraud. Equifax also made it clear that it would not be calling affected customers. UK users should not give out personal details to anyone calling claiming to be an Equifax employee.
This is the second time that Equifax amends its original breach estimate — 143 million US customers, 400,000 UK customers, 100,000 Canadian customers.
Last week, the company said it discovered an additional 2.5 million affected US customers and reduced the number of affected Canadian users from 100,000 to around 8,000.
Also last week, Equifax's Chief Executive Officer (CEO) Rick Smith resigned his position. Two weeks earlier, the company announced the immediate retirement of their Chief Information Officer (CIO) and Chief Security Officer (CSO).
Smith also attended a Senate Banking Committee hearing on the Equifax breach, during which he blamed the incident on a lowly IT worker who forgot to patch the breached server for an Apache Struts vulnerability. Despite Smith's statements, someone dressed as the Monopoly Man stole the show at the Senate hearing.
Despite Equifax's huge security failures, the IRS awarded the company a $7.25 million contract to help the agency prevent fraud. The company will probably do a splendid job at recognizing its own data now.