Credit-reporting agency Equifax now says records exposed in the massive data breach it revealed last month included information relating to 15.2 million U.K. residents. The count of British breach victims is much higher than the business first estimated.
See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’
The vast majority of those records – 14.5 million – contained only names and birthdates, which Equifax contends “does not introduce any significant risk to these people.”
But the remaining 700,000 records had data that may have included driver’s license numbers, email addresses, phone numbers, partial credit card numbers and sensitive information tied to online Equifax.co.uk accounts.
“Equifax apologizes unreservedly for any risks to consumers arising as a result of this criminal hack,” according to a statement issued Tuesday. “We continue to work closely with law enforcement and other agencies as well as leading external advisers to learn lessons for the future.”
No group has yet taken responsibility for stealing the Equifax data, which affected 145.5 million people U.S. consumers as well, plus some Canadians. The FBI has launched a criminal probe into the breach. But security experts do not believe the stolen data has appeared on dark web forums where this type of information would routinely surface, for sale to identity thieves.
When Equifax first disclosed the breach on Sept. 7, it said “limited personal” information about consumers in the U.K. and Canada were also affected. Later, it estimated that data pertaining to 400,000 U.K. residents was exposed (see Equifax: Breach Exposed Data of 143 Million US Consumers).
The U.K. data ended up being stored on U.S. servers owing to a “process failure” that occurred between 2011 and 2016, at which point it was found and fixed, Equifax says. But while the data transfer stopped, a copy of this file apparently remained stored on U.S. systems, and Equifax says attackers obtained it.
“Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields,” the company says.
Equifax earlier suspected 100,000 Canadian residents were impacted by the breach, but later revised the Canadian victim count to 8,000. Exposed information for Canadian residents included names, addresses, Social Insurance Numbers and in some instances credit card numbers.
Equifax says it will contact by post the 693,665 U.K. residents who had personal information exposed that went behind just their name and birthdate. Exposed information varies, but includes:
637,430 consumers’ phone numbers;
29,188 consumers’ driver’s license numbers;
14,961 Equifax.co.uk site membership details, which may include usernames, passwords, partial credit card details, and secret questions and answers used to reset accounts;
12,086 consumers’ email addresses, used to register with Equifax.co.uk.
For victims whose phone numbers were leaked, Equifax says it will offer them “a leading identity monitoring service for free.”
For the remaining consumers, the company is offering its own identity protection service called Equifax Protect for free. The company also plans to offer consumers other “products and services from third-party organizations” for free. Equifax didn’t immediately respond to a query about how long those services would be offered for free.
Equifax has yet to describe those services, but says they will be outlined in the mailing that affected consumers receive.
Equifax’s breach represents one of the largest – and for consumers, most dangerous – breaches ever recorded, and has led to sharp questions about the cybersecurity prowess of credit agencies and data brokers.
In addition to exposing personal data for 145.5 million U.S. individuals, Equifax’s breach exposed credit card numbers for 209,000 U.S. consumers. The breach also exposed documents related to credit disputes that U.S. consumers had filed with the company, affecting 182,000 individuals.
The breach has triggered a wave of legal and regulatory action against the company and resulted in the sudden retirement of CEO Richard Smith and departure of other senior executives, including Susan Mauldin, the former CSO.
Some critics say the breach shows that the data broker industry needs to be more tightly regulated to protect consumer data that can so easily be repurposed by fraudsters to commit identity theft.
Equifax was hacked after failing to address a known security problem. In March, hackers broke into Equifax’s systems by exploiting a software vulnerability in Apache Struts, a web application development framework used for its U.S. website infrastructure (see Equifax’s Colossal Error: Not Patching Apache Struts Flaw).
A patch for the vulnerability had been available since early March, but Equifax did not apply the patch and later system scans failed to identify the vulnerable Apache Struts software. After exploiting the flaw to hack into Equifax in March, intruders actively roamed its systems from mid-May through July 30, when Equifax detected the breach and closed the hole.