back to article Equifax UK admits: 400,000 Brits caught up in mega-breach

Equifax UK has surfaced to say that British systems were not affected by a recently disclosed megahack, however 400,000 UK people were affected due to a “process failure.” The credit reference agency is saying that UK dedicated systems were not affected by the security breach at its US parent firm that exposed the personal …

  1. yoganmahew

    Say what?

    "This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016. "

    If the process error was corrected in 2016, how come the data on 400k people was still in the US in March 2017? Safe Harbour regulations should have made this data transfer all but impossible, since it appears to be a marketing list...roll on GDPR.

    Handy of them to discover this on a friday evening...

    I smell a hamster. And some elderberries.

    1. Anonymous Coward
      Anonymous Coward

      Re: Say what?

      It's also a good day to bury bad news.

    2. Aqua Marina

      Re: Say what?

      "This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016."

      I wonder if this oversight was reported to the ICO at the time, or if it was quietly swept under the rug and hoped that would be the end of it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Say what?

      I agree.

      Remember you are the product. They are selling you and information about you.

      There's no consent to being on their database.

      My view, we should put massive fines in place for each person who has had data lost.

      10K an offence, 400,000 offences.

      That's a tidy sum for the exchequer.

    4. Dan 55 Silver badge

      Re: Say what?

      Gov.uk Verify shared info with Equifax too.

      It'd be nice to know if that personal data has wondered off over the Atlantic as well, but I doubt we'd find out unless we search some of the more insalubrious areas of the Internet and buy it ourselves.

      1. JetSetJim Silver badge
        Coat

        Re: Say what?

        >but I doubt we'd find out unless we search some of the more insalubrious areas of the Internet and buy it ourselves

        Oh no, you'll find out soon enough. You'll receive an email from equifax@hotmail.com informing you of your data loss, and it will include a handly link which, when clicked on, will allow you to verify your information once you've typed in your credit card details. Totally legit, I've just done mine.

  2. chris street

    Start complaining now....

    Time to start complaining. casework@ico.org.uk - send them messages asking why this has happened. Ask them if they are going to prosecute the UK arm - because thats who leaked it. Demand answers. Talk to MP's ask why this is happening.

    Be the squeaky wheel make a lot of noise and dont let them grease you.

    1. Keef

      Re: Start complaining now....

      Nice ideas, but...

      'Time to start complaining. casework@ico.org.uk'

      The ICO are worse than useless, I'm not saying people shouldn't follow your advice, just that they shouldn't expect a meaningful outcome as a result of doing so.

      'Demand answers'

      That comment did make me laugh, demand all you like, in the UK you won't get them.

      'Talk to MP's ask why this is happening.'

      Even funnier! You Sir should be on stage, you have a talent.

      I'm not decrying your comments Chris (I upvoted you), just adding what I see as a dose of reality to them.

      1. dephormation.org.uk
        Pint

        Re: Start complaining now....

        Applying the ICO going rate for "fines per person affected" ... 0.2p/person... the total fine for Equifax would be 400,000x0.2p = £800.

        And even that figure is assuming the ICO opt to issue a fine.

        They are more likely to

        - blame the victims for not opting out of something they didn't know about,

        - claim 'the ICO are not IT experts' and unable to understand the technology,

        - claim the leak was 'small scale and technical in nature',

        - suggest it was 'too difficult to obtain consent from theory customers for the processing',

        or some other utter nonsense.

        The ICO are, absolutely, as useless as an ashtray on a space rocket (.. never mind a motorbike).

        1. Anonymous Coward
          Anonymous Coward

          Re: Start complaining now....

          The ICO are, absolutely, as useless as an ashtray on a space rocket (.. never mind a motorbike).

          presumably ICO weakness is an entirely deliberate action on the part of the interference-agencies/deep-state/Putin, take your pick

    2. wolfetone Silver badge

      Re: Start complaining now....

      "Talk to MP's ask why this is happening."

      A lovely idea, and normally would be the best way to go about it.

      However, Parliament won't have chance to discuss this because of the Brexit "negotiations". Nothing can be discussed or sorted out that isn't related to Brexit until it happens and everything is hunky dory again.

      I will be bombarding the ICO about it though. If Equifax have done this, and only now admitted to doing it, how many other companies are doing it? "Process failure" my arse, if they can do something and get away with it then they're going to be doing it. It's only when they're caught that they say "Oh sorry it was a failure on our part it won't happen again".

  3. a_yank_lurker Silver badge

    Drip, drip, drip...

    The dripping sound is the end of Equinefax. The true scope of this disaster is probably not known and the bovines in charge will do their PHB best to keep people from finding out. But the right court case and with discovery things could prove interesting.

    1. Korev Silver badge

      Re: Drip, drip, drip...

      I hope you're correct; however Talktalk are still in business.

    2. rmason Silver badge

      Re: Drip, drip, drip...

      @a_yank_lurker

      Nonsense.

      They will pay a relatively small fine, and carry on. business as usual.

      1. Mike Richards Silver badge

        Re: Drip, drip, drip...

        Don't forget the maximum fine the ICO can impose is £500k - and its never been imposed - even TalkTalk didn't pay that much. GDPR can't come along quickly enough with its fines up to €20 million or 4% of an organisation’s annual global turnover *whichever is greater*.

        Equifax also needs to be forced to spunk up serious compensation for anyone who has had any of their personal data leaked. We don't ask to be put on their systems, we don't have any right to say 'no', so lets make them take security seriously - or kill them through fines and legal settlements.

  4. Tom Paine Silver badge
    Unhappy

    Krebs freeze

    Krebs says a credit freeze is much more use than credit monitoring. (GIYF.) Why aren't credit accounts frozen by default and only unlocked by specific strongly authenticated authorisation?

    1. Anonymous Coward
      Anonymous Coward

      Re: Krebs freeze

      Less income, I gather.

      That's always the prime reason if it's not a regulated industry (which it should be, due the undue influence it has).

  5. sanmigueelbeer Silver badge
    Thumb Up

    CIO & CSO Steps down

    Equifax CIO & CSO has stepped down ...

    https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832

    Accelerated "early retirement" and throwing them to the wolves?

    1. Eddy Ito Silver badge

      Re: CIO & CSO Steps down

      Funny they didn't mention the fact that the now former CSO has a degree in music composition and not something security related.

      1. Mycho Silver badge

        Re: CIO & CSO Steps down

        I guess she came over from the RIAA.

      2. wolfetone Silver badge

        Re: CIO & CSO Steps down

        "Funny they didn't mention the fact that the now former CSO has a degree in music composition and not something security related."

        How many people are in jobs that have absolutely nothing to do with their academic degrees, yet still manage to do a perfectly good job?

        1. Eddy Ito Silver badge

          Re: CIO & CSO Steps down

          How many people are in jobs that have absolutely nothing to do with their academic degrees, yet still manage to do a perfectly good job?

          Probably plenty but if it's the case where she had a dozen years of experience in the field then why has nearly every trace of her experience been wiped from the internet? Appearances matter and it looks more like a coverup. It only raises suspicions that the job was filled by "who you know" rather than "what you know" and if it comes time to sit and answer questions in front of congress how do you think it will play out? I'm not saying she wasn't qualified but it's pretty clear that the ball got dropped on her watch and everything that's being done only makes it look worse.

          1. wolfetone Silver badge

            Re: CIO & CSO Steps down

            I do agree, but there are plenty of clowns working in IT saying they have 30 years experience but are absolutely piss poor in their own jobs.

            But hey, a company who couldn't be bothered to securely protect data they obtained from various sources aren't a company who will be thinking logically about how the deleting of their employee's history will look to the public.

  6. dukemasters
    WTF?

    Data stored up to 2016 but hacked in 2017? Time travelling hack?

    The statement mentions the data was being held in the US due to a "process failure" which meant that a limited amount of information was stored in North America between 2011 and 2016.

    If it was stored up to 2016 only, how was it still there in 2017 to get breached?

    The Press Release raises more questions than it answers.

  7. Anonymous Coward
    Anonymous Coward

    Just waiting for the current UK government

    to award Equifax the contract for overseeing online voting in the next General Election.

  8. Ken Moorhouse Silver badge

    Scammers have established that it is contacting 400,000 UK consumers...

    ...in order to offer them inappropriate advice and a range of malware to help infect and exploit them.

    FTFY

  9. Richard Jones 1
    WTF?

    How Will Contact Be made?

    I have had to change all of my email addresses since early this year as the original service provider gave up. In the event that my details were on the Faultyfax database how would anyone contact me? At least I should not get too many scam emails, but I quite like the idea of knocking ICO's door with a complaint. Sometimes the weight of numbers can upset their apple cart by making the stats look bad.

  10. Cowardly Anon

    Small print?

    Hmmm will these offers of services include the waiver of your right to be in a class action ala the US offer?

  11. Lion

    Passing the buck

    UK, Canada and Argentina are currently identified as having been 'possibly or 'probably' impacted by the breach. Followed by, 'as soon as we know for sure, everyone will be notified in writing'. Done and dusted as far as Equifax is concerned. Any time spent or incurred costs associated with what needs to be done next or to recover ones stolen identity will have been transferred to the consumer.

    Don't count on compensation even if you become the target of identity theft. Class action suits get big payouts for lawyers and a paltry sum for those who can prove they have suffered losses. Revenge maybe, but negligible compensation.

    The investigations will probably result in US fines and some minor regulations, but Equifax has cyber security insurance and an industry lobby behind them - expect watered down results. It is rare for Canada or the UK governments to levy fines for corporate wrong-doing, but hopefully they will consider revoking their corporate charter. If Equifax loses government permission to operate as a business in Canada and the UK, I think a lot of consumers will consider it justice serviced.

    .

  12. Morten Bjoernsvik

    equifax stock price still ~$90

    Since sep8 it has only dropped around $50. I would have expected much worse.

    Why cant folks hash their databases and use a tokenizer for lookups. You then only protect the tokenizer that only hold your username and the hash it references to in the database. And of course you change it monthly, Easier to protect a 2colum 30mill row table than an entire database. This is kept in your pcidss zone. where all access it logged and protected.

    1. hplasm Silver badge
      Unhappy

      Re: equifax stock price still ~$90

      "Why cant folks hash their databases and..."

      Because in this case, and probably many more, they don't have the tiniest clue of what they are supposed to be doing.

    2. PermissionToSpeakPlease

      Re: equifax stock price still ~$90

      "Since sep8 it has only dropped around $50. I would have expected much worse"

      They haven't lost any customer data. They've only lost some data that they were selling anyway, nothing for their customers to be overly worried about. There's just a one-off cost involved to be seen to be doing something now, but other than that there shouldn't be too much impact on long-term proffitablity from this. (sadly).

  13. EnviableOne Bronze badge

    Dewey, Cheetham and Howe

    time for the class action specialists I think

  14. adam payne Silver badge

    "This was due to a process failure, corrected in 2016, which led to a limited amount of UK data being stored in the US between 2011 and 2016."

    Corrected in 2016 but the data was still there in 2017?!?

    Why was it still there?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019