The records related to individuals entered its database between 2011 and 2016, and “sizeable test datasets, duplicates and spurious fields”, which suggests that potentially anyone in Britain who applied for a financial product requiring a credit check during that period could be caught up by the breach in some way.
Importantly, not everyone is affected to the same degree. The highest-risk group are 693,665 people (up from September’s 400,000 estimate) comprising the following groups:
- 14,961 people who had “portions” of their 2014 equifax.co.uk membership details accessed, including user names, passwords, secret questions/answers, and partial credit card details
- 637,430 people whose phone numbers were accessed
- 29,188 people whose driving license numbers were accessed
- 12,086 people who had an email address associated with their equifax.co.uk account in 2014
The company is now contacting these people by letter “to offer them Equifax and third-party safeguards” in the form of subscriptions to the company’s ID protection service.
What does this admission tell us about the scale of damage the breach will cause in the UK?
Let’s start with the large number of people not deemed high risk. The company states:
The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.
In Equifax’s view, then, this group does not face significant risks despite an unknown number having personally identifiable data compromised (data that is often used by banks for security questions, for example). This assessment isn’t exactly reassuring.
The next concern is what Equifax plans to do to protect the nearly 694,000 people in the highest-risk categories.
Of these, 56,235 will be offered free subscriptions to the company’s Equifax Protect ID service that gives users unlimited access to credit files held on them as well as emailed reports of any new activity.
The company hasn’t confirmed how long this service will be offered free of charge, but the risk is likely to remain high for these individuals for many years to come.
The remaining 637,430 whose telephone numbers were accessed will also be offered a free “identity monitoring service”, although it’s not clear which one or for how long it will remain in place.
What the UK Information Commissioner’s Office (ICO) will make of all this is anyone’s guess, but it’s a reminder that one of the most serious data breaches ever to affect UK citizens happened in the US, beyond the oversight of this country’s data protection regime.
It’s not even clear whether 2016’s tightened EU-US Privacy Shield agreement, which governs how data on EU citizens should be handled when transferred by US companies, would have made a difference.
In the end, most of the Britons caught up in the great Equifax breach of 2017 will probably shrug their shoulders. Many will never have heard of Equifax, let alone been aware it held their personal data, and Equifax seems satisfied to have kept them waiting weeks for information.
Security expert Bruce Schneier recently summed up the strange situation “customers” find themselves in with the following observation:
Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.
Judging by the response we’ve seen, people in US have certainly noticed, but we aren’t holding our breath for reform there either.