Industry News

Up to 44 million UK consumers may have had their identity put at risk after Equifax hack

By now, you’ve no doubt read the news stories about the massive data breach at credit-reporting service Equifax which has put 143 million US customers at risk of identity theft.

Hackers stole personally identifiable data including social security numbers, dates of birth, addresses, and driving license information – alongside (in the case of some 209,000 consumers) credit card information.

But you would be wrong to think that it is only consumers in the United States who are at risk because of the breach.

Equifax has admitted that it also “identified unauthorized access to limited personal information for certain UK and Canadian residents.”

What Equifax doesn’t say in its advisory is just how many UK and Canadian citizens might be at risk, but a report from The Telegraph puts the number of potential British victims at 44 million.

Considering that the estimated population of the UK (including children who I would argue are less likely to be being having their credit rating checked) is about 65 million, that’s a frankly catastrophic figure.

And don’t imagine for a second that because you may have never heard of Equifax, or done no business with them, that you have somehow escaped from being affected by this breach. Many companies in the UK use Equifax’s credit-cehcking services when deciding if they want to take you on as a customer or not.

In short, you may never have had any direct dealings with Equifax, but they may still have had your personal data – and it may now be in the hands of hackers.

Things only get worse when you recognise just what it means to have key personal data such as names, dates of birth, and social security numbers (although these aren’t used in the UK) are exposed.

If, say, your password is exposed through a website breach you can always change your password. But try changing your date of birth, or your name… you’re stuck with them for life.

Identity thieves can use personal information such as dates of birth, names, addresses and social security numbers to fraudulently open accounts, take out loans and credit cards, or even buy a house… all without you knowing, and yet it’s you ultimately which might find yourself with a damaged credit rating as a result.

It’s no wonder, as The Telegraph quotes, that the likes of BT are keeping a close eye on the developing story:

“We are aware of the developing story and are monitoring the situation closely. Like many companies in the UK, BT uses Equifax services. We are working on establishing whether this breach has any impact on those services.”

In many ways I’m reminded of how T-Mobile’s CEO was unable to disguise his anger when Experian, a company tasked with credit-checking the phone company’s users, suffered its own data breach exposing social security numbers and other personal information two years ago.

You can’t help but feel some sympathy for the companies which placed their trust in Equifax, believing that the firm would take proper care of consumers’ information.

But most of all I feel sorry for the many millions of consumers who are currently utterly oblivious that their identities are at risk, and the potential problems they might face in the future.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

5 Comments

Click here to post a comment

  • I wonder if its a matter of luck that I haven't been affected by a cyber attack. I suppose all I can do is be watchful, monitor my accounts, place my faith in the security installed on my devices and hope for the best.

    • Great post, Graham. I cannot find any mention online of whether these data were encrypted or plain text. Strange. Could Equifax actually be so stupid/irresponsible/inept/etc?
      I wandered over to Equifax.co.uk and there is no acknowledgement or mention of the hack of course, or a link to see if you are affected (as has been offered to US residents).
      They use Flash on their site, so that isn't a good thing either.
      I don't have any business with Equifax but thought I'd get my statutory credit report from them to see what they have on file about me (Section 7 of the DPA). Their website tries valiantly to get you to do this online for £2, but you have to give them your c-c details. That doesn't seem like a clever move! The online help "information" box says "It would help if you had some financial information to hand to assist you to answer these questions and speed up your order", which sounds like a surreptitious way of them getting free information to broaden their profile of users. There is an option to get the information by mail with a cheque in their favour (and no financial information required), so that will be in the post tonight.
      As your article says, when a company with this much aggregated data is hacked, it is a REAL problem. Let's hope others have a better policy for storage and protection of their databases.
      .

  • Bitdefender sent me a bundle of cybersecurity vids from U-tube. I've listened to several more. Nothing is private. And you can be manipulated by images.