Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security United Kingdom Privacy

Equifax Increases Number of Britons Affected By Data Breach To 700,000 (telegraph.co.uk) 58

phalse phace writes: You know those 400,000 Britons that were exposed in Equifax's data breach? Well, it turns out the number is actually closer to 700,000. The Telegraph reports: "Equifax has just admitted that almost double the number of UK customers had their information stolen in a major data breach earlier this year than it originally thought, and that millions more could have had their details compromised. The company originally estimated that the number of people affected in the UK was 'fewer than 400,000.' But on Tuesday night it emerged that cyber criminals had targeted 15.2 million records in the UK. It said 693,665 people could have had their data exposed, including email addresses, passwords, driving license numbers, phone numbers. The stolen data included partial credit card details of less than 15,000 customers."

Equifax Increases Number of Britons Affected By Data Breach To 700,000

Comments Filter:
  • by Anonymous Coward

    Then we can be sure heads will roll, literally, in the Equifax C-suite.

    • by Anonymous Coward

      I'm sure the Queen would be furious if someone knew her information. Why, they might try to take out a loan in her name, or steal her tax return, or cash known bad checks in her name.

      • 1st Question: When would anyone the Queen and her court conducts business with have need of a credit history?

        2nd Question: When would the queen have need to buy anything using credit?

        3rd Question: Who, when conducting business with the west, would deny the Queen what she requests? When that is a matter or purchasing a desired good or product or service?
      • by rtb61 ( 674572 )

        If it was the NSA who conducted the breach, than they already have the Queens details, knowledge of tax evasions scams, corruption of democracy plots and the predilection of her family members for minors. When you are descended from homicidal maniacs who publicly tortured to death anyone who disagreed with them (also the rest of their family and even pets) and this without shame and embarrassment, in fact quite the opposite, celebrating the ancestors psychopathic douche baggery, you and your family are boun

    • Financial CEOs (Score:5, Interesting)

      by Roger W Moore ( 538166 ) on Tuesday October 10, 2017 @09:37PM (#55346893) Journal
      Actually, it would be a lot more effective if the people who had their details exposed were the heads of major financial companies. These are the people who choose to share our details with companies like Equifax and perhaps if they have their own personal details exposed they may be a lot more careful with whom they share our data in the future.
  • by Anonymous Coward

    I love imperial math units.

  • by bravecanadian ( 638315 ) on Tuesday October 10, 2017 @09:07PM (#55346749)

    No need to mete out the bad news. We know it was everyone.

    • This is how you boil a frog without it jumping out of the pot.
    • Why don't you tell everyone that your business model sucks - people are the product. At least Equifax has caused a review of IDENTITY. Just finished setting up a utility at a new home - guy wanted my SSN just to hook up some "service" - a point at which I normally balk; but then EQUIFAX comes to mind. Why not broadcast my SSN? Equifax has. I gave the guy the SSN frequently associated with a name similar to what I gave him. Passed a "credit check". Really, honestly, might not be 'me' - so thanx, Equif
  • by Anonymous Coward

    This is good news! The fact that this affected people outside the US means that maybe a government without a mouth full of corporate dicks will actually do something about it.

    • I doubt they can do much more than force organizations in their country not to provide this kind of information. Which is great for people in that country, but it won't hurt Equifax much at all. I doubt the WTO or any other international body can/will do anything.
      • Re: Good News (Score:4, Interesting)

        by Xest ( 935314 ) on Wednesday October 11, 2017 @03:41AM (#55347867)

        They're lucky it happened now, maximum fine is £500,000.

        Come May next year when GDPR comes into force they could've been charged 4% of global turnover.

        There is legislation in the UK to allow individuals to be held responsible though, so it's possible Equifax's security chief, CTO, or CEO could be held personally responsible if there's sufficient evidence they mishandled it.

        This industry is incredibly tightly regulated in the UK though, Equifax could lose it's license to practice as a CRA if there is evidence of severe negligence.

  • by Anonymous Coward

    When you get caught with something ( in this case data ) you're not even supposed to have . . . . . . .

    I like how they try to downplay it by pretending it was only X or Y. Completely avoiding the whole question of why they have it in the first place. :|

  • I don't know why they don't just admit that *everyone's* information is compromised and just be done with it.

    And then all credit bureaus should be forcibly shut down their databases burned. They are completely unneccessary and it's not even clear they provide a benefit to the lenders that use (and pay) them.

  • He usually has some wise words.

  • Perhaps it would be simpler to just start a list of everyone not affected by this data breach? It might sound like it would still be a long list, but after another year of revelations I think it will top out to a few dozen, maybe 50, people at most.

    • Perhaps it would be simpler to just start a list of everyone not affected by this data breach? It might sound like it would still be a long list, but after another year of revelations I think it will top out to a few dozen, maybe 50, people at most.

      That many people in Equifax’ upper management?

    • Obviously they cannot publish a whitelist. The only people who weren't affected are the people Equifax doesn't know about.

    • Perhaps it would be simpler to just start a list of everyone not affected by this data breach?

      What you mean both of them?

  • by ytene ( 4376651 ) on Wednesday October 11, 2017 @03:29AM (#55347843)
    I think that the single best piece of advice to give anyone who has a record held by Equifax is to assume that every single shred of information the company held on you has been compromised.

    The UK's data regulator, the Information Commissioner's Office, must immediately demand that Equifax provide them with proof that every single UK citizen on whom Equifax has held data has been contacted and has acknowledged that contact.

    Why so extreme? Because if one thing is apparent from this appalling incident it is that Equifax simply don't know what they are doing when it comes to safeguarding the data of their users. It is borderline offensive that a company can go public with a statement to admit that they have just detected a hack which took place months previously, only to then turn round within a matter of days and claim to know exactly what was accessed, what was stolen.

    The bottom line is that if an attacker was good enough to get into their systems and wander around for days, weeks or months without being detected, then it stands to reason that they were also good enough to make sure that logs of their activities were disabled and/or wiped. The mere fact that Equifax were hacked in the first place should tell us everything that we need to know about placing reliance on their IT Security or IT Forensic skills. [ And no, hiring in an outside specialist consultancy to help may not be good enough. When the data is gone, it's gone - a good attacker will have left few traces].

    There is another major problem with the Equifax approach. Publicly, they claim that "several hundred thousand" UK citizens may have been hit by their breach. Given the size of this number, it means that any individual contacted by Equifax will have to assume that "they are one of the unlucky ones". But this leaves us with two problems. Firstly, how do we know that Equifax aren't lying now and just contacting everyone? Are they making deliberately misleading statements to try and placate their regulators? Secondly - and potentially much more significantly - how do you know if you are an "Equifax customer" in the first place? They don't mean customer, do they? They mean data subject: i.e., victim. If you have a credit card or applied for a loan or purchased a car or an expensive product on any form of hire purchase or store credit agreement, then you are potentially an Equifax customer. But when you bought your three-piece suite or that new car, did the store or dealership explicitly tell you that their credit-checking services were provided by Equifax? I doubt it.

    I think the British people need to be demanding that Equifax are:-

    1. Given a *massive* fine by the Information Commissioner's Office.
    2. Made to pay compensation to every UK citizen held in their records.
    3. Forced to provide lifelong free credit protection services, including alerting them when people run credit checks against them or attempt to access their records.
    3. Forced to disclose, completely, in 100% detail, every last scrap of data held by Equifax against every UK citizen. If necessary, to offer to explain to the person what has been taken and how it could be used, to educate their victims and help them defend against identity theft and fraud.
    4. Have their license for operating in the UK revoked, immediately, and be prevented from operating in the UK or taking or collecting data from UK subjects.

    Only something as clear and powerful as this will send a message to companies like Equifax that they are putting people at tremendous risk. These companies see themselves as untouchable, see their business model as all up-sides. They get their data for free as part of 2-way deals, and then sell it on for a profit.

    These people are parasites.
    • by Maritz ( 1829006 )
      They should be broken up. Simple as that. Fuck ups this big should result in the company in question not existing any more. Anything less will be seen for what it is - permission to do whatever the fuck they like.
      • by ytene ( 4376651 )
        Agreed - but I would go further...

        The government concerned needs to send a clear message to other information brokers, to make it very clear to them that there is zero tolerance for this sort of data breach. There needs to be a real, material punishment. I accept that revoking an [information broker] license that would bar the culprit from the market permanently, but I would like to see the participants actually held to personal account for the failures they have presided over.

        And if there aren't suff
    • by AmiMoJo ( 196126 )

      You can't punish Equifax too harshly because if they collapse they take millions of people's credit history with them. If, for example, you years of on-time mortgage payments are logged by Equifax and their records go away, all that information will be lost and your perceived risk to creditors will go up.

      For Equifax to lose their licence what they did would have to be worse than the consequences of those records being lost.

      However...

      3. Forced to provide lifelong free credit protection services, including alerting them when people run credit checks against them or attempt to access their records.
      3. Forced to disclose, completely, in 100% detail, every last scrap of data held by Equifax against every UK citizen. If necessary, to offer to explain to the person what has been taken and how it could be used, to educate their victims and help them defend against identity theft and fraud.

      Those should be mandatory for all credit reference agencies anyway.

      • by ytene ( 4376651 )
        So what you are essentially arguing is that Equifax are 'too big to fail'? That the cure is worse than the disease?

        Sorry, I don't buy it. Equifax have already demonstrated that they cannot be trusted to keep consumer data safe. There are only two remedies for this:

        1. Take the data away from them.
        2. Find a way of providing an absolutely SOLID guarantee that all their data is now and will remain 100% secure...

        Think about that second item for a moment. Who among their data subjects would trust them w
        • by AmiMoJo ( 196126 )

          Yes, that's what I'm saying. You could write to them withdrawing your consent for them to hold data about you, but all that would do is damage your ability to get credit.

          I agree it's a really bad situation. Taking the data off them wouldn't really solve the problem, just hand it to another bunch of idiots. The core of the problem is relying on such databases to determine credit worthiness.

          • by ytene ( 4376651 )
            Curiously, I find myself agreeing with you about everything you write except our differing view on the appropriate remedy.

            We agree it's a bad situation...

            With respect to taking the data away from Equifax, we have a slightly different view. In my idea world, the government would step in, bar Equifax from operating, charge the directors with criminal negligance and then take the Equifax data set and offer it for sale to other companies in the market. They would include a set of terms and conditions that
  • ISO certification (Score:4, Interesting)

    by pD-brane ( 302604 ) on Wednesday October 11, 2017 @04:22AM (#55347965) Homepage

    From Equifax' website:

    Equifax is ISO/IEC 27001:2013 certified by a reputable independent third party.

    It is difficult to imagine now that ISO/IEC 27001 (information security management) means anything.
    Who is this "reputable independent third party"?

    • Re:ISO certification (Score:4, Interesting)

      by ytene ( 4376651 ) on Wednesday October 11, 2017 @05:13AM (#55348053)
      In order for Equifax to legitimately place that statement on their web site, they would have been required to complete an annual ISO27001 Security Audit, conducted by a Certified ISO Security Auditor.

      Such an audit is valid for a maximum duration of 12 months and thus has to be completed annually. It would be very interesting to compare the results of that audit with details of the system[s] that were breached, to determine what level of diligence was provided by the ISO Auditor.

      I wonder if Equifax can substantiate that claim? Interesting...
    • Does the auditing process involve proper tiger-team pen-testing?

    • by chihowa ( 366380 )

      They're not going to tell you that! That third party has a reputation to uphold.

  • If you have ever participated in the 20th or 21st Century banking or credit system, Equifax has given away your personally identifiable information.

He who steps on others to reach the top has good balance.

Working...