back to article UK Treasury Committee chairman calls on Equifax to answer for breach omnishambles

Equifax may soon face the wrath of UK politicians after the chairman of the country's House of Commons Treasury Committee demanded answers from the firm over its handling of its recent data breach. Nicky Morgan MP has written to the chief executive of Equifax Limited asking for further details about the scale of the breach, …

  1. wolfetone Silver badge

    Why are the details of 700,000 non-US "customers" included in along with test data?

    1. Aladdin Sane

      Because the ICO is toothless and therefore Equifax didn't give a shit.

      1. wolfetone Silver badge

        "Because the ICO is toothless and therefore Equifax didn't give a shit."

        Didn't? Or doesn't?

        1. Aladdin Sane

          GDPR is coming in, they may be starting to give a shit.

          1. Anonymous Coward
            Anonymous Coward

            GDPR is coming in, they may be starting to give a shit.

            No. At talks, the ICO representatives repeatedly state they dont want to impose monetary penalties on companies for failure and dont want to be seen as an "always fining" regulator. The only fines they want to give out are to telesales companies...

            They go to great lengths saying GDPR shouldnt change anything "because you are all compliant with the DPA1998 anyway." Not sure if it is meant sarcastically or if the ICO really does think companies give even a tiny fraction of a toss about personal data.

      2. }{amis}{
        Mushroom

        The Ico

        The ICO is useless..... But as a tech who works in the finance industry at the mo i can tell you the FSA is very much feared and respected, And they do have the mandate to investigate misuse of financial data which all of this is.

    2. Lysenko

      Why are the details of 700,000 non-US "customers" included in along with test data?

      Quite possibly they were the test data. For a predominantly anglophone country like the USA, the logical countries to source customer name lists for testing are UK, Canada and Australia. You can't use random strings in place of names[1] (cardinality is all wrong, so index optimisation would be too), you don't want data from "foreign language" countries and you certainly don't want to be using actual Americans (because: Tort Lawyers).

      [1] Yes, I know there are ways around that but they require a degree of competence and attention to detail that these people clearly didn't see the need for on the payroll.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why are the details of 700,000 non-US "customers" included in along with test data?

        Anecdotally confirmed: after my employer was taken over by a US multinational, they were completely startled and nonplussed when we pointed out that moving databases stuffed with PII over to the US without any notification or oversight about what they did with it was possibly illegal. They were going to be using real mail spools for testing.

    3. Peter X

      Why are the details of 700,000 non-US "customers" included in along with test data?

      They said some was duplicate and some test data, so at a guess, there was a "test" DB that was a duplicate of a production DB that they used for testing with. So that's all fine then! :D

    4. VinceH

      "Why are the details of 700,000 non-US "customers" included in along with test data?"

      Because Equifax fucked up - this data was stored in the US in error; the result of a "process failure."

      Equifax knew they'd fucked up - this process failure was supposedly corrected in 2016.

      But Equifax have clearly fucked up the correction of the fuck up, given that the data was still there to be hacked in May 2017.

      And, of course, they also fucked up by not keeping up with patches, resulting in that hack.

    5. kain preacher

      Because they can and who is going to stop them. Oh and last time I got an update they said it was close to 5,000,000 brits.

  2. rmason

    Will keep rising

    This number will keep going up, it's clear the breach is a large one, and they hold information on practically everyone of adult age in the UK.

    Anyone who has ever had any sort of financial product, or even those who have tried but always failed.

    The number of breaches will end up being quite close to "All of you" I think. Or so close as not to matter.

    1. Aladdin Sane

      Re: Will keep rising

      By the looks of it, only people who have had an account with Equifax (signed up for free credit report etc.) have been hit by this.

      1. Alan Brown Silver badge

        Re: Will keep rising

        "only people who have had an account with Equifax (signed up for free credit report etc."

        Or one of Equifax's myriad sock puppet companies.

        In this instance, "customers" have an "account" with Equifax whether they know it or not. I DPA section 11'd them (and a few other companies) a few years back after I discovered they were selling marketing data containing my details. They made it clear they whilst they'd tag my account to not sell anything they would be keeping the data on file.

  3. }{amis}{
    FAIL

    This will continue.......

    The problem i have with the reporting of these kind of breaches is that the evaluation of the amount of data lost and what kind of data is affected, is done by the same bunch of idiots that caused the mess in the first place.

    If we want to move protection against this kind of problem forward, we to to have a legal mandate that the evaluation and remediation is done by a qualified third party at the companies expense and the report is openly published.

    That way they end up with a bill that fits the mess that they caused and their is no squirming away from the reputation damage.

    1. Detective Emil
      Thumb Up

      Re: This will continue.......

      Agreed. Although victims of enormous breaches who get sued do tend eventuallly to call in third-party forensic teams at vast expense so as to have an assesment of the damage that has a chance of standing up in court. These teams tend to find that the problem was even bigger than first thought, and the information, if released at all, is released late on Friday on the west coast.

  4. zaphy42
    FAIL

    It gets worse..

    Indications of compromise on their Website yesterday...

    https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Don't give a toss about UK

    We cant even check trustedidpremier.com as the have blocked access from outside the USA.

    So they certainly don't consider us a risk in terms of regulatory proceedings.

  7. I Am Spartacus
    Paris Hilton

    Am I impacted

    Who knows?

    ERROR

    The request could not be satisfied.

    The Amazon CloudFront distribution is configured to block access from your country.

    Generated by cloudfront (CloudFront)

    Request ID: 0qeocyIVfz5MQfWTbmQYG7gMl0ASHqk8mNrv-7e60sbXDSTbLfizAw==

  8. Lion

    Pretty Please - oh please

    The governments of Canada, Australia, UK and Brazil approached Equifax with kit gloves. In other words, they said 'Please, when you get around to it, let us know how many of our citizens are at risk' They would have waited without any sense or urgency if it had not been for this huge backlash from the public. Now they feel the need to nudge Equifax for answers, so they have followed up with a 'Pretty Please'.

    Equifax is feeling a degree of pressure from the US government, but that is just a show. The curtain will fall in a few months and that will be the end of it. Lawmakers will not punish Equifax (no fines) or change the credit reporting industry anytime soon.

    They care not for anybody beyond their borders.

    Governments outside the US have allowed credit reporting bureaus to operate in the manner in which they do.They know how this breach happened. They know how Equifax responded to the breach. They know their citizens have been compromised. There is no need to wait for Equifax to respond with their letter writing campaign. Nothing should be stopping governments at this time, other than their indifference, from immediately producing stringent legislation to regulate this industry. - prioritize it and pass it. Follow up with a compensation calculation for victims and forward that to Equifax.

    1. John G Imrie

      Re: Pretty Please - oh please

      Won't happen in the UK. There are currently only two active policies being pursued by the UK government

      1) Brexit

      2) The survival of the Tory Party.

      1. Anonymous Coward
        Thumb Up

        Re: Pretty Please - oh please

        Listed in reverse priority order.

    2. Mark 85

      Re: Pretty Please - oh please

      If you were in government, would you push someone (or some company) that held vast amounts of your personal data? All that's needed to bring you back into line with the company is "oops, we got breached and all your data is in the wild and being used".

  9. JMiles

    Any company that submitted data to Equifax is in trouble...

    ... when a company tells you they'll share their info with credit reference agencies they remain responsible for what happens to the data once they send it off. Once in a while I wish we did have the litigious ambulance chasing lawyers in the UK like they have in the US and can sueball Equifax into non-existence.

  10. Anonymous Coward
    Anonymous Coward

    Equifax are utter scum

    i've been asking them since the start of the year to correct information they are reporting about me and I'm going around in circles, and keep closing the case. I've complained to the ICO and they are worse, absolutely no response from them.

    I'll try the FSA next and see how i get on.

    they have a duty of care to ensure the information they hold on all of us is correct, which is I think why they all have free access to your credit scores now (clearscore, money something and experians thing).

    Considering the impact an error can have on your ability to work, rent or buy there should be greater oversite of their operations.

  11. Graham Cobb Silver badge

    Regulation of credit references

    The credit reference business needs some serious regulation. Yes, credit checks (for businesses and individuals) are important to keep our economy functioning but the processes and data behind that should be extremely heavily regulated (one level down from health data).

    Reform should mean that data kept must be limited to a small number of permitted categories, all recent and personal (not hearsay or "linked"), with the sources clear, and limited to clear factual data which can be easily either confirmed or refuted and immediately fixed without the co-operation of the source. The data subjects must be able to see all data held on them, all requests made, and all analysis/reports made and the data subject must be able to put blocks on access to their data from certain sources or for certain types of requests (understanding that that might mean they are refused credit).

    Yes, this would make credit reporting less useful -- with a higher risk of bad debt. But so be it -- the economy won't collapse over that. That should be the price paid by an industry which gets a free pass in terms of receiving, keeping, and processing, personal data without permission.

  12. Anonymous Coward
    Anonymous Coward

    GDPR

    I imagine, that when GDPR comes in next year, they will find that a reasonable percentage of the country requests their data be deleted.

    How will the financial companies that abuse this info already cope then?

    Will you keep your data in the credit bureaus when they are so "trustworthy"?

    1. cantankerous swineherd

      Re: GDPR

      when gdpr comes in you'll find credit reporting bureaus are exempt because terrorism.

  13. ThatOne Silver badge
    Facepalm

    (Don't know if my post will ever appear (apparently 50% of my posts never made it through), but here goes:)

    Hearing people one might think GDPR is some savior who will right all wrongs. I fear it isn't and it won't.

    It's just a law, and it depends on how (and if) it's applied. For instance I wouldn't be surprised if Equifax is forgiven because well, you know, accidents happen, and my friends' friends are my friends too (Who cares about users. Rabble, all of them. No matter what happens to them there always will be enough around to keep us afloat.).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like