Data broker Equifax has released a revised count of U.K. victims of its massive 2017 data breach, now saying 860,000 residents had their personal details exposed.
When last Brits heard from the beleaguered data broker in November, it had begun sending letters to 693,665 U.K. residents, warning them that their details had been exposed and offering them anti-fraud services.
"We have now taken the decision to write to a further 167,431 U.K. consumers."
The breach, which began last May but was not detected until late July 2017, also exposed 145.5 million U.S. consumers' information. Initially, Equifax suspected 100,000 Canadian residents were also impacted by the breach, but later revised the Canadian victim count to 8,000.
More British Victims
The latest breach update arrived Thursday, when Equifax issued a data breach update saying that by the end of this month, it will write to more U.K. residents whose information was part of a file that was exposed in the breach.
"We have now taken the decision to write to a further 167,431 U.K. consumers from this file" who had their landline phone numbers exposed in the breach, Equifax says. "We are offering this group the same free ID protection services as outlined in the initial consumer letters." But Equifax notes that the phone numbers accessed during the breach were already listed in public telephone directories, meaning this exposure should not pose any additional risk to breach victims.
Equifax Breach: UK Edition
To recap: Equifax says last year's breach resulted in the exposure of a file containing 15.2 million U.K. records from 2011 to 2016. "As well as featuring some information about actual consumers, this file also contained duplicates and data for testing purposes," it says. "Equifax has used all available resources to identify the actual consumers impacted and their current home address. After a period of time-consuming and technically difficult analysis, Equifax was able to piece together information which allowed it to place these consumers into specific risk categories."
Hence the decision to write to a total of 861,096 British breach victims.
Equifax says all of its U.K. breach victims fall into one of four categories:
- Email address associated with equifax.co.uk account was accessed;
- Membership details for equifax.co.uk were accessed, such as username, password, secret questions and answers and partial credit card data;
- Driver's license number accessed; or
- Phone number accessed.
Equifax's initial breach notification to U.K. consumers offering for free its "Protect" identity theft monitoring service included this wrinkle: To sign up, breach victims had to share more information with the same data broker who lost control of their personally identifiable information in the first place (see Equifax UK Breach Notification Demands Victims' Details).
Equifax is still offering that service - prepaid for up to 24 months - but says victims can instead sign up for another service that requires only their name, gender and email address. It says the service, dubbed WebDefend, monitors cybercrime forums for victims' personal information and allows breach victims to set up alerts for their driver's license number, telephone numbers, email addresses, bank account number, National Insurance number and credit and debit card numbers.
But tracking any of those additional bits of personal information would also require breach victims to share the data with Equifax, a spokesman tells me.
Identity Theft in the UK
What actual risk do U.K. Equifax breach victims face?
One thing that makes data breaches in the United States so devastating is that individuals' personally identifying information can be used to commit fraud, literally in their name.
When applying for a loan or credit cards, for example, issuers will use PII, such as Social Security numbers, names, addresses and birth dates, that applicants supply to assess with creditworthiness via such data brokers such as Equifax, Experian and TransUnion.
Many privacy experts have long derided the way that Social Security numbers in the United States have come to be used as unique identifiers.
But residents of countries that don't use Social Security numbers or some other government-issued number - such as the National Insurance number in the United Kingdom - as a unique identifier may still become the victim of identity fraud.
"I had it happen to me - albeit several years ago - when someone was able to use just my name and date of birth to set up various retail accounts and run up a lot of debt," says Alan Woodward, a professor of computer science at the University of Surrey. "They didn't have my home address, but when I next did a credit check and validated my address the credit checking agency then assumed it must be me and I started getting letters from debt collection agencies."
Woodward tells me he'd been proactively checking his credit report, and seeing that false addresses had been registered under his name tipped him off that fraudsters were at work. Even so, it still took him two years to clear his name while fending off debt collectors.
"The thing I found extraordinary was that even when I got one debt collector off my back, I found they had simply sold on the debt and it started all over again," he says. "I had to find the source - which was an unusual company based in the Channel Islands - and tell them to cease and desist."
He was tenacious and ultimately successful. "Imagine if that were someone less obstreperous," he says.
Now, however, Woodward gets to watch for Equifax-related fraud, because he's been informed that his information was exposed in that data breach.
This blog has been updated with additional information from Equifax.