STE WILLIAMS

The impact of the Equifax breach in the UK remains unclear days after the disclosure of a breach that could potentially affect up to 44 million British consumers.

The credit reference agency and its UK subsidiaries provide services for UK companies including BT, Capital One and British Gas. Customers of these companies might therefore be affected by the attack despite not having signed up for Equifax’s services. The US agency holds the personal details of 44 million UK citizens, the Daily Telegraph reports. What percentage of these users are affected remains unclear and unconfirmed.

BT has confirmed it was a user of Equifax services, with a spokesman adding it was in dialogue with credit reference agency about the matter. A BT spokesman courtesy told El Reg he wasn’t able to share any more at this point.

Data privacy watchdogs at the Information Commissioner’s Office (ICO) have advised Equifax to alert affected UK customers as soon as possible. Notification in such cases is not mandatory under current UK data protection laws. A spokeswoman at the ICO wasn’t able to provide any guidance on the extent to which UK consumers were affected by the breach when we called on Monday early afternoon.

In a breach disclosure notice last Thursday, Equifax said criminal hackers had exposed the personal data of 143 million customers in the US, which was stolen between mid-May and late July this year after taking advantage of an (unspecified) “web application vulnerability”. Weekend speculation that hackers might have exploited a recently disclosed flaw in Apache Struts has been denied, as previously reported.

According to Equinox, the purloined US data includes names, social security numbers, dates of birth, addresses and, in some instances, driver’s licence numbers. In addition, credit card numbers for approximately 209,000 US consumers, and certain dispute documents with personal identifying information for approximately 182,000 US consumers, were accessed.

Equifax added that “limited personal information” from British and Canadian residents had been compromised without going into details. El Reg put in a query to Equifax’s UK PR representatives asking for clarification on what information belonging to UK consumers had been exposed and how many had been affected. Our query was redirected towards a central (crisis management) PR team, which we understand is US-based.

We’ll update this story as more pertinent information comes to light.

Equifax’s dedicated breach-handling site can be found here. In updates on Friday, Equinox said that it had drafted more people to work in its call centres. It also said that the “arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident” in response to US consumer concerns that finding out if they had been affected by the breach might mean foregoing participation in a class action lawsuit. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/11/equifax_breach_uk_exposure/